Privacy Terms: refundrebel SAP Concur App Center Integration
State: 28. July 2021
1. General
Data protection has a particularly high priority for the management of refundrebel GmbH. Personal data (hereinafter referred to as „data“) will only be used by us to the extent necessary and for the purpose stated in this declaration. We process data in strict compliance with the applicable data protection regulations and this data protection declaration.
This data protection statement aims to clarify the type, scope, and purpose of the processing of personal data when integrating our online offer into your SAP account through the Appcenter. The following information applies regardless of the domains, systems, and devices used (e.g. desktop or mobile).
We process personal data in strict compliance with the applicable data protection regulations. This means the data will only be processed with legal permission; in particular, if the processing of the data is necessary for the provision of our contractual and online services, e.g. when consent is legally required to perform our service.
The legal basis of consent is Art. 6 para. 1 lit. a. and Art. 7. GDPR. The legal basis for the processing of data in order to provide our service and execute contractual duties is Art. 6 para. 1 lit. b. GDPR. The legal basis for the processing of data in order to fulfill our legal obligations is Art. 6. Para. 1 lit. c. GDPR, and the legal basis for the processing of data for the safeguarding of our legitimate interests is Art. 6, para 1. lit. f. GDPR.
2. Information about us as controller
according to Art. 4 No. 7 General Data Protection Regulation („GDPR“) is:
refundrebel GmbH
c / o Freischwimmer GmbH, Pettenkoferstrasse 9
67063 Ludwigshafen am Rhein
Telephone: +49 (0) 6221 67403 991
Email: support [at] refundrebel.com
hereinafter referred to as „refundrebel“.
Further information can be found in our imprint.
Any person concerned can also contact our data protection officer directly at any time with any questions or suggestions regarding data protection, either by post at the above address with the addition of “data protection officer” or by email at datenschutz@refundrebel.com.
3. Security measures
We take organizational, contractual and technical security measures following the state of the art to ensure that the provisions of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
4. Data processing by activating refundrebel in SAP Concur
If you activate our train compensation service in SAP Concur, you agree that refundrebel will be able to access any data as described in the Concur Processor Privacy statement, as well as the App Licensing Terms and Conditions.
We use this data for the sole purpose of determining possible compensation claims due to train delays or cancellations and claiming the compensation from the respective railway company for you or your company. This is independent of what workflow our Service follows as described in our App Licensing Terms and Conditions.
Other data processing only takes place if you visit our website to create a claim as described in our data protection declaration on our website.
5. Data processing when contacting us
Due to legal regulations, the website of refundrebel GmbH contains information that enables quick electronic contact to our company as well as direct communication with us. This requires the specification of a valid email address, your name and a message to us. This is used to assign the request and then answer it. The specification of further data is optional. Such data voluntarily transmitted from a data subject to the data controller are stored for processing or contacting the data subject. This personal data is not passed on to third parties.
6. Disclosure of data to third parties
We only process your personal data for the purposes stated in this data protection declaration. Your personal data will not be passed on to third parties for purposes other than those mentioned. We only pass on your personal data to third parties if:
- you have given your express consent,
- processing according to Art. 6 Para. 1 lit. b GDPR is required to process a contract with you,
- processing in accordance with Art. 6 Para. 1 lit. f GDPR is required to fulfil a legal obligation,
- the processing is necessary to protect legitimate interests and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data.
Data transfer to carry out administrative activities The data stored for the execution of the contract and for the assertion of the compensation will be passed on to the railway companies and other third parties (e.g. service providers for IT, databases, customer service e-mail dispatch) as necessary as part of the registration and to process the compensation inquiries. The transmitted data may only be used by our service providers for the fulfilment of their tasks and not for other purposes. Insofar as there is order processing, processing takes place in compliance with the regulations for order processing in accordance with Art. 28 GDPR.
We signed Data Processing Agreements with all involved third parties and have carried out the necessary individual audits on the level of data protection.
When following the B2B-workflow as described in our App Licensing Terms and Conditions, we use the following third-party providers:
- Amazon Web Service
We use Amazon Web Service to host our web application. Amazon Web Services is the world’s leading server cloud computing provider, whose infrastructure uses numerous cloud services and enables us to store data centrally and in encrypted form. Business address: Amazon Web Services Inc., 410 Terry Avenue North, Seattle, Washington 98109-5210, USA.
- Amazon Web Service
- MongoDB
We use MongoDB to host our database. This is needed to analyze possible compensation claims. Business Address: MongoDB, Inc., 1633 Broadway, 38th Floor New York, NY 10019, USA. - MailGun (only if traveller receives money)
If agreed on with your company, we use Mailgun to inform travellers about his/her eligibility for compensation.
Business address:
Mailgun Technologies Inc., 112 E Pecan St. 1135, San Antonio, TX 78205, USA
- MongoDB
When following the B2C-workflow as described in our App Licensing Terms and Conditions, we also use the following third-party provider to inform Concur-users of their existing compensation claim:
- Mailgun
Business address: Mailgun Technologies Inc., 112 E Pecan St. 1135, San Antonio, TX 78205, USA Other third parties are only involved if you visit our website to create a claim as described in our data protection declaration on our website.
- Mailgun
Other third parties are only involved when you create a claim on our website as described in our data protection declaration on our website.
7. Your rights
You have the following rights vis-à-vis us with regard to your personal data:
- Right to information (Art. 15 GDPR),
- Right to correction and deletion (Art. 16 and 17 GDPR),
- Right to restriction of processing (Art. 18 GDPR),
- Right to object to processing (Art. 21 GDPR),
- Right to data portability (Art. 20 GDPR).
You also have the right to complain to the data protection supervisory authority about the processing of your data by us.
We would like to point out that you can revoke any data protection consent you may have given us at any time with effect for the future. The same applies to consent to advertising. The best way to do this is to send an informal email to: datenschutz@refundrebel.com. The respective revocation can mean that our offers can no longer be made available to you or only to a limited extent.
If we base the processing of your personal data on a balance of interests (Art. 6 Para. 1 S. 1 lit. f GDPR), you can object to the processing. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust the data processing or point out to you our compelling reasons worthy of protection, on the basis of which we will continue the processing.
8. Deletion of data
The data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention requirements. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This applies e.g. for data that must be kept for commercial or tax law reasons.
According to legal requirements, storage is carried out for six years in accordance with section 257 (1) HGB (trading books, inventories, commercial letters, accounting documents, etc.) and for ten years in accordance with section 147 (1) AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).
9. Changes to this data protection declaration
We reserve the right to change this data protection declaration to adapt to legal changes or changes to the service and data processing. However, this only applies to explanations of data processing. If changes require the user´s consent or parts of the data protection declaration contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the user.
Users are advised to inform themselves regularly about the content of this Date Protection Declaration.