Welcome to MOVIG, a product provided to you by Dolphin Technologies GmbH, Stella-Klein-Löw-Weg 11, A-1020 Vienna, Austria on behalf of Vienna Insurance Group AG Wiener Versicherung Gruppe, Schottenring 30, A-1010 Vienna (hereinafter “Dolphin”, “VIG”, “we”, “us” or “our”).

MOVIG provides you (“User” or “you“) with information on your MOVE Score, your MOVE IQ and your CO2 footprint while driving. Additionally, you will receive information on your use of public transportation, bicycle trips and walks.

The MOVE Score consists of two components: the ETR value (Exposure to Risk) and the MOVE IQ. The ETR value reflects how long and on which types of roads you are driving, while the MOVE IQ assesses your individual risk based on your driving behavior. Factors such as compliance with speed limits, cornering speed, acceleration and braking patterns, as well as refraining from smartphone use while driving, are taken into account in this assessment.

In addition to providing this information, you may receive MOVIG Coins as a reward for safe driving behavior, based on the criteria mentioned above, as well as on other occasions. Such coins are stored in your MOVIG Wallet for future use.

MOVIG is intended for demonstration and evaluation purposes and allows for personalization and the creation of individual user groups by providing and using a MOVIG PROJECT CODE. If you use such a code during installation, please note the relevant section below.

This Data Privacy Statement applies to the processing of personal data when you are using our Service (as defined below). It explains which personal data we collect, process and store.

You may find further information in our Terms of Use, and on our website www.movig.app. Please read the documents carefully as they govern your use of our Service.

If you have any questions about the collecting, storage and processing of personal data, please contact us at privacy@movig.app.

• Name and address of the data controller

Dolphin Technologies GmbH
Stella-Klein-Löw-Weg 11
1020 Vienna / Austria
email: privacy@movig.app

1. Scope of Application, General Principles

1. This Data Privacy Statement applies to the processing of personal data when using our “Service”, meaning our

• MOVIG App (“App”);
• website www.movig.app (“Website”);
• smartphone application software (“Software”);
• all of our Content (as defined in Section 4) and
• all modifications and new features. 

1. 1. By using our Service and/or signing up for an Account (“Account”), you agree to be bound by this Data Privacy Statement including any policies or other terms referred to in or incorporated by this Data Privacy Statement (such as our Terms of Use). If you do not agree with this Data Privacy Statement or our Terms of Use, you must not use our Service.

• We are committed to the sensitive handling and active protection of personal data as well as transparent information for users, especially regarding data collection and use. However, please keep in mind that the main purpose of our Service is to collect and analyze user data. Therefore, it is in the nature of the contract between you and us, that personal data (particularly data on location, mobility, etc.) will be processed.

• To technically cover data protection as good as possible, we encrypt the data collected and rely on encrypted transmission to our high available and secure server infrastructure.

1. “Personal Data” refers to any information that relates to an identified or identifiable individual. This includes not only obvious identifiers like a person’s name, address, email address or social security number but also less obvious data such as online identifiers, location data and more. Essentially, if a piece of information can be used to identify an individual directly or indirectly, it qualifies as personal data. If data are anonymized in such a way that it can no longer be linked to a person (“Anonymized Data”), they are no longer “personal data” and therefore not included in the scope of data protection law.
2. „Processing“ in accordance with the GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. „Recipient“ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

1. In general, personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected or to comply with contractual or legal obligations. This is the case when the data is no longer required for the performance of the contract. Even after the contract has been concluded, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations. For example, we are obliged to keep invoice data for a period of at least seven years in accordance with Section 132 (1) Austria Federal Tax Code.

1. Registration, Creating an Account
   1. When you register for our Services and create an Account, the following data and information are collected, stored and processed:

• name,
• gender,
• email address,
• phone number,
• company name.

We ask for these data during your registration (Account creation).

1. The legal basis for the processing of the data is your consent pursuant to Art 6 (1) lit a GDPR, which you give us in the course of the registration. Since your registration serves to fulfil the contract or pre-contractual measures between you and us, the additional legal basis for the processing of the data is also in any case Art 6 (1) lit b GDPR.
2. You may delete your Account at any time by using the function “Delete Account” or by informing us via email at cancel@movig.app. Please note that in such a case all collected data will be deleted from our systems. This does not apply to anonymized processing results and information we need to comply with contractual or legal obligations (like billing information). 

1. Using our Service
   1. The MOVIG App is designed to collect, evaluate and analyze mobility activity. When you are using the App, we therefore collect process and store the following data:

• location data,
• sensor data (gyroscope, acceleration sensor, magnetometer),
• activity data provided by the smartphone operating system,
• quantity of registered steps (Apple Health Kit / Health-Connect for Android),
• smartphone brand,
• smartphone model;
• smartphone operating system.

1. The legal basis for the processing of the data is your consent pursuant to Art 6 (1) lit a GDPR, which you give us in the course of registration. Since the processing of the data is the main purpose of our Service, the additional legal basis for the processing of the data is also in any case Art 6 (1) lit b GDPR.

1. Automated individual decision-making, including profiling (Art. 22 GDPR)
   1. Based on the collected data as shown in chapter 4, the Service automatically calculates your personal MOVE Score which represents your overall risk while driving and the MOVE IQ. MOVE Score considers the number and duration of your trips as well as the type of roads you travel on, with highways being the safest and rural roads posing higher risks. MOVE IQ represents your individual risk and is based on the elements (a) compliance with speed limits, (b) general driving behavior (cornering, acceleration, braking) and (c) distraction (usage of smartphone while driving).
   2. The legal basis for the processing of the data is your consent pursuant to Art 22 (2) lit c GDPR, which you give us during registration.
2. Communication, User Journey
   1. We will contact you via e-mail or push messages within our App. For this purpose, we collect, process and store the following data:

• location data,
• smartphone sensor data,
• activity data (including steps) provided by your smartphone (operating system),
• quantity of registered steps (Apple Health Kit / Health-Connect for Android),
• e-mail address,
• App-ID,
• function calls in the app.

1. To send messages, we make use of external service providers:

• For sending emails: Mailjet SAS (Global HQ), France, 13-13 bis, rue de l’Aubrac, 75012, Paris, France. You can find more information on how Mailjet handles user data in their privacy policy: https://www.mailjet.com/security-privacy/
• For sending push messages: Google Firebase Cloud Messaging – Google LLC, Gordon House, Barrow Street, Dublin 4, Irland. You can find more information on how Google LLC handles user data in their privacy policy: https://firebase.google.com/
• For automated messaging workflows: Peaberry Software Inc. – “Customer.io”, USA,
  921 SW Washington Street, Suite 820, Portland, Oregon 97205

Data Storage in European Union

You can find more information on how Peaberry Inc. handles user data in their privacy policy: https://customer.io/legal/privacy-policy/ 

1. The legal basis for the processing of the data in order to communicate directly with you is the fulfillment of the contract or pre-contractual measures between you and us pursuant to Art 6 (1) lit b GDPR. 

1. 1. Enhancing and stabilizing of our Service
      1. Of course we try to prevent crashes of the MOVIG App, but unfortunately, we do not always succeed. In order to learn from such failures and to improve, we use SENTRY to collect information about the cause of the crash – but only in the case of an app crash.

• For this purpose we make use of an external service provider:

• Functional Software, Inc. – “Sentry.io”, USA,
  45 Fremont Street, 8th Floor, San Francisco, CA 94105-2250, USA

Trans-Atlantic Data Privacy Framework (TADPF)

You can find more information on how Sentry.io handles user data in their privacy policy: 

https://sentry.io/privacy/

1. The legal basis for the processing of the data is our legitimate interest pursuant to Art 6 (1) lit f GDPR. 

1. Mandatory Third-Party components – Software Development Kits (SDK)

The following SDKs are essential for the App to function and cannot be deactivated. These SDKs ensure the functionality of our App and are technical interfaces that transmit various user or technical data to third-party providers or receive data from them. The SDKs are active as long as the app is installed and used.

The legal basis for the processing of the data is your consent pursuant to Art 6 (1) lit a GDPR, which you give us during registration. Since the SDKs are technically mandatory for our Service, the additional legal basis for the processing of the data is also in any case Art 6 (1) lit b GDPR.

1. Google Firebase Cloud Messaging – Google LLC, Gordon House, Barrow Street, Dublin 4, Ireland

We use Firebase Cloud Messaging to send you push messages. These are messages that are displayed on your device without opening the App. When you install the App, your device is assigned a pseudonymized reference ID (Firebase installation ID), which serves as the destination for the push messages. When you uninstall the App, this ID is processed for a certain period before it is permanently deleted. Upon reinstallation, a new ID is assigned to your device. This ID can be (de)activated at any time in the settings of your device. If you deactivate it, you will only receive our messages when the App is open.

For more information on Firebase Cloud Messaging, in particular on the processing duration, please refer to the Google Firebase data protection information: https://firebase.google.com/

1. Google Firebase Remote Config – Google LLC, Gordon House, Barrow Street, Dublin 4, Ireland

We use Firebase Remote Config to manage the configuration of the MOVIG App on your smartphone. When you install the App, your device is assigned a pseudonymized reference ID (Firebase installation ID), which is used to select configuration values and send them to your device. When you uninstall the App, this ID is processed for a certain period before it is permanently deleted. Upon reinstallation, a new ID is assigned to your device.

For more information on Firebase Remote Config, in particular on the processing duration, please refer to the Google Firebase data protection information: https://firebase.google.com/.

1. Sentry.io – Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA

We use Sentry to ensure that our Service runs smoothly and to be able to respond as quickly as possible when errors occur. Sentry will automatically record and report errors that occur on the server or client side. We ensure that personal information is removed as much as possible.

For more information on Sentry, in particular on the processing duration, please refer to the Sentry data protection information: https://sentry.io.

1. Using the MOVIG app after entering a MOVIG PROJECT CODE
   1. MOVIG allows for personalization and the creation of individual user groups by providing and using a MOVIG PROJECT CODE. If you are invited to use such a code during the installation of the app, please note that the creator of the code, i.e. the party inviting you, is a Recipient of your personal data in accordance with the GDPR.
2. Accessing our Website
   1. When you access our Website, the following data and information are automatically collected from the accessing system:

• information about the browser type and the version used,
• operating system,
• IP address,
• date and time of access.

1. This data is also stored in the log files of our system. This data is not stored together with your other personal data. The legal basis for the temporary storage of the data and the log files is the protection of our legitimate interests (Art 6 (1) lit f of the EU General Data Protection Regulation – GDPR).
2. The temporary storage of your IP address by the system is necessary to enable provision of the retrieved data to your electronic device. For this purpose, your IP address must remain stored for the duration of the session. The storage of other data in log files is done to ensure the functionality of the Website. In addition, your data serves us to optimize the Website and helps us to prevent malfunctions and misuse of our systems. These purposes are also our legitimate interest in data processing according to Art 6 (1) lit f GDPR.
3. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the Website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after a few days at the latest, unless a longer storage period is necessary to comply with contractual or legal obligations. Beyond this, storage is only possible for statistical purposes or to optimize our Website and the content offered. In this case, your IP address is deleted or anonymized so that an assignment of the calling client is no longer possible.

1. Cookies
   1. Our Website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on your computer system. When accessing our Website, a cookie may be stored in the cache of your internet browser, provided that you have not deactivated this function in your internet browser. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the Website is accessed again. We use cookies in order to be able to adapt our Website to the preferences of the user and to be able to recognize the user when the Website is accessed again. Cookies are particularly necessary for functions that are only available after the registered user has logged in.
   2. The following data is stored in the cookies (depending on the use of the Website): 

• log-in information, 
• data that the user has entered in an input field of the Website, 
• characteristic string, 
• IP address, date and time of access.

1. 1. When accessing our Website, you will be notified by means of an information banner about the use of cookies and you will be asked to give your consent to the processing of the personal data used in this context. The legal basis for the processing of personal data using cookies for analyzation purposes is Art 6 (1) lit a GDPR if you have given us your consent.
   2. Technically necessary cookies are required to simplify the use of the Websites for you. Some functions of our Website cannot be offered without the use of cookies (e.g. recognition of the browser after a page change). Analysis cookies are used to improve the quality of our Website and its content. Through the analysis cookies, we learn how the Website is used and can thus constantly optimize our offer.

• Google Analytics

For our Service we use Google Analytics. The provider of this service is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses cookies for analysis. You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://policies.google.com/privacy?hl=en-US. 

Please note that by using Google Analytics personal data may be transferred to a Google server in the USA. On behalf of us, Google will use this information for the purpose of evaluating your use of the Website, compiling reports on Website activity and providing other services relating to Website activity and internet usage to us. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. 

Google Analytics is used for the purpose of improving the quality of our Website and its content. By evaluating anonymized data, we learn how the Website is used and can thus continuously optimize our offer.

1. Cookies are stored on your computer and transmitted to our Website by you. Therefore, you as a user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time using the corresponding browser function. This can also be done automatically. If cookies are deactivated for our Website, however, it may no longer be possible to use all the functions of the Website to their full extent.
2. You may delete cookies that are already on your client at any time. Most modern browsers also offer the option of deactivating cookies in general. To do this, check the settings or the help menu in your browser.

1. 1. Your rights as a data subject under the GDPR

• Right of Access

In accordance with Art 15 GDPR, you can request confirmation from us as to whether personal data relating to you is being processed by us. If such processing is taking place, you can request information about the following: the purposes for which the personal data is processed; the categories of personal data which are processed; the recipients or categories of recipients to whom your personal data has been or will be disclosed; the planned duration of the storage of your personal data, if specific information on this is not possible, criteria for determining the storage period; the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by us or a right to object to such processing; the existence of a right of appeal to a supervisory authority; any available information about the origin of the data if the personal data is not collected from the data subject; the existence or non-existence of automated decision-making, including profiling, pursuant to Art 22(1) and (4) GDPR and, where applicable, meaningful information about the logic involved and the scope and effects of such processing for the data subject. You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art 46 GDPR in connection with the transfer.

• Right of Rectification

Pursuant to Art 16 GDPR, you have the right to rectification and/or completion if your personal data is incorrect or incomplete. We must carry out the correction without delay.

1. Right to Restriction of Data Processing

Under the conditions of Art 18 (1) GDPR, you may request the processing of your personal data may be restricted.

• Right to Deletion

Pursuant to Art 17 GDPR, you may request that we delete your personal data without delay. In such case, we are obliged to delete this data without delay if one of the reasons listed in Art 17 GDPR applies. The right to deletion does not apply if the processing is required pursuant to Art 17 (3) GDPR.

1. Right to Notification

If you have asserted to right to rectification, deletion or restriction of data processing, we are obliged to inform all recipients to whom your personal data has been disclosed of this rectification or deletion or restriction of data processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about the recipients.

• Right to Data Portability

In accordance with Art 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format.

• Right to Object, Right to Revoke

Pursuant to Art 21 GDPR, you have the right to object at any time to the processing of your personal data that is carried out on the basis of Art 6 (1) lit e or lit f GDPR for reasons arising from your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which predominate your interests, rights and freedoms, or the data processing serves to assert, exercise or defend legal claims. If the personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data for the purpose of such marketing; this also applies to any profiling, insofar as it is related to such direct marketing. If you object to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes. Pursuant to Art 7 (3) GDPR, you have the right to revoke a declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the data processing carried out on the basis of the consent until the revocation.

• Right of Complaint to a Supervisory Authority

Regardless of any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work or the place of the alleged breach, pursuant to Art 77 GDPR, if you think that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been filed shall inform the complainant about the status and the results of the complaint, including the possibility of a judicial remedy pursuant to Art 78 GDPR. The competent supervisory authority for Austria is the Austrian Data Protection Authority.