Privacy Statement eco.mio

For the eco.mio Web Application and Browser Extension (“Service”)

Last modified August 2022.

In this Privacy Policy we (“eco.mio“, “we“, “our“, “us“) inform you according to Article 13, GDPR about how we process your personal data we access and receive from you or your employer during all interactions, exchange of files, information or when use the Service. We will only store personal data for the sole purpose of improving business travel by making it more cost efficient and environmentally friendly. We will not sell or provide your personal data to any third parties.

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party’s site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Name and contact details of the responsible person

The responsible person is
eco.mio GmbH
Alexander-Schmorell-Str. 16
82031 Grünwald
represented by the managing director Katharina Riederer
e-mail: info@ecomio.com, Tel.: +49 170 8031993

(henceforth: “we“)
Please feel free to address any inquiries, suggestions, or applications to our management at any time at support@ecomio.com.

Data processed by our Service

What data do we process and store?

We process and store all your personal data, which is handed to us directly by you or indirectly by your employer or third parties. This data includes personal details (name, employee ID, job title, unit), contact information (e-mail address), work assignment locations, travel bookings and expenses (booking date, travel date, origin, destination, provider, time, cost, service class, tariff). Further, we process and save your usage data in an anonymized form.

Purpose of the processing and legal bases

The processing of the data, as described, is lawful based on the consent of the user according to Art. 6 para. 1 a) GDPR.

We use your personal data to sign you up to our service, to provide you with a Budget-to- beat during the booking process, to calculate the rewards for your trips and to display these with your booking information in the eco.mio webtool.

In addition, we use your data anonymously to analyze generated corporate cost and carbon emission savings as well as general travel trends and habits. Further, depending on the individual agreement with your company/employer eco.mio may send the payroll department a monthly aggregated (CSV) file containing your employee number and the corresponding rewards. When you voluntarily complete a user survey or provide feedback via email, we use your personal data anonymously to improve our software.

We also analyze anonymized user behavior on the service to improve our software by using cookies.

What are cookies and how do we use them?

Cookies are text files placed on your computer to collect standard internet log information and visitor behavior information. When you visit our webtool, we may collect information from you automatically through cookies to improve your experience including keeping you signed in or understanding how you use our webtool.

What types of cookies do we use?

eco.mio uses persistent functionality cookies to recognize you on our service and remember your previously selected preferences. These may include language settings, your username and password, so you can automatically log in. In addition, eco.mio makes use of statistics cookies, also known as “performance cookies”. These cookies collect information about how you use our webtool, like which pages you visited, and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve our webtool functions.

How to manage cookies

You can set your browser not to accept or delete cookies. To do so, please consult the support of your browser. However, in a few cases, some of our webtool features may not function as a result.

How we store your data – Recipients or categories of recipients

We process your data ourselves and transfer your personal data to the following Software- as-a-Service and Infrastructure-as-a-Service service providers to set up and operate our Service:

  • Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxemburg
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

All data is stored in computing centers in Germany (AWS Frankfurt).

Duration of storage

Your personal data will be stored for as long as you are employed at your current employer and will be deleted within six months thereafter if your employer communicates the end of your employment to us.

Requirement of Provision of Data (Art. 13 II lit. e GDPR)

The provision of your personal data is necessary for the conclusion of the terms of use.

Information on data security

We take care to ensure the highest possible level of data security when selecting our service providers. For example, our central service providers Amazon Web Services and Google are certified according to the latest security standards (including ISO 27001, ISO 27018, SOC 2, SOC 3) and have implemented comprehensive security measures. Eco.mio itself has also taken comprehensive technical and organizational measures to protect your data from loss and/or unauthorized access, alteration, etc.

Data subject rights

As a data subject, you have the right,

  • in accordance with Art. 7 (3) GDPR to revoke your consent once given to us at any time (e.g. in writing or in text form). This has the consequence that we may no longer continue the processing of your personal data in the future, insofar as it was based on this consent;
  • to request information about your personal data processed by us in accordance with Art. 15 GDPR. You may request information about the processing purposes, the category of personal data processed by us, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint with a supervisory authority, the origin of your data if it has not been collected from you, as well as the existence of automated decision-making including profiling within the meaning of Art. 22 (1) GDPR and, if applicable, meaningful information about its details;
  • pursuant to Art. 16 GDPR, to demand the correction of incorrect data or the completion of your personal data stored by us without undue delay;
  • pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us if one of the reasons listed in Art. 17 (1) a-f GDPR applies, provided that the processing of the data is not necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense and defense of legal claims;
  • pursuant to Art. 18 GDPR, to request the restriction of the processing of your personal data if you contest the accuracy of such data, the processing is unlawful but you object to its erasure, or if we no longer need your data but you need it to assert, exercise or defend and legal claims, or if you have objected to the processing pursuant to Art. 21 GDPR and it is not yet clear whether our legitimate interests override yours;
  • pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format, if the processing is based on consent pursuant to Art. 6(1) or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(1)(b) GDPR and the processing is carried out with the aid of automated procedures. In exercising this right, you also have the right to have the personal data relating to you transferred directly from us to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.
  • to object to the processing of your personal data on the basis of legitimate interests in accordance with Art. 21 GDPR, insofar as there are grounds for doing so that arise from your particular situation.
  • to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing of personal data concerning you violates the GDPR.
  • Please feel free to address any inquiries, suggestions, or requests to our management at support@ecomio.comat any time.
  • Incidentally, we inform you that the Bavarian State Office for Data Protection Supervision with headquarters at Promenade 18, 91522 Ansbach, https://www.lda.bayern.de/, is responsible for us.

Exercising your rights as a data subject shall be free of charge pursuant to Art. 12 GDPR. In the case of manifestly unfounded or excessive requests, however, in particular because of their repetitive character, we may charge a reasonable fee, to reflect the administrative costs incurred in handling your request or refuse to act on it.