Data protection instructions

When you visit our portal, various personal data are processed depending on the type and scope of your visit. Personal data is information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person who can be identified directly or indirectly (e.g., by means of assignment to an online identifier) is considered identifiable. This includes information such as name, address, telephone number, date of birth or IP addresses.

With these data protection instructions, we inform you in accordance with Art. 12 ff. GDPR about which personal data is processed when you visit and use our portal. In particular, below you will find information on what data we collect in connection with your visit to and use of our portal, what we use the collected data for, and for what purposes the data is collected. In addition, you will find information about the rights you have in connection with the processing of your personal data.

We reserve the right to adapt these data protection instructions with effect for the future, in particular in the event of further development of our portal, the use of new technologies or changes to the legal basis or the corresponding case law. This data protection information shall apply to all pages of our portal (portal.pendix.group). It does not extend to any linked websites or Internet presences of other providers.

The controller pursuant to Art. 4 No. 7 GDPR is

Pendix GmbH
Innere Schneeberger Straße 20
08056 Zwickau, Germany
Tel.: +49 (0) 375 270 667 10
E-Mail: info@pendix.com

If you have any questions about data protection with regard to our company or our portal, you can contact our data protection officer. You can reach our data protection officer at the e-mail address datenschutz@pendix.de or at the following postal address:

GP Data GmbH
Mädler-Passage, Aufgang B
Grimmaische Str. 2-4
04109 Leipzig

For security reasons and to protect your personal data during transmission to us, we use SSL or TLS encryption to protect your data against access by unauthorised data subjects. You can recognise an encrypted combination by the string https:// and the castle symbol in the address bar of your browser.

For the purpose of the technical deployment of our portal, it is necessary that we process certain information automatically transmitted by your browser so that our portal can be displayed and used in your browser. This information is automatically collected each time our portal is accessed and stored in so-called “server log files”. The information transmitted by your browser and stored in the server log files is the following information:

• IP address
• Date and time of the request
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (concrete page)
• Access status/HTTP status code
• Amount of data transferred
• Website from which the access is made (referrer URL)
• Browser type and version
• Operating system used

The storage of the aforementioned access data is necessary for the provision of our portal and to ensure system security for technical reasons. This also applies to the storage of your IP address, which necessarily takes place and, under further conditions, can at least theoretically enable an assignment to your person. In addition to the aforementioned purposes, we use server log files solely for the purpose of designing and optimising our portal in line with demand, purely for statistical purposes and without any inference to your person. This data is not merged with other data sources, nor is the data evaluated for marketing purposes.

The access data collected in the course of using our portal will be stored for the period of time for which this data is required to achieve the above purposes. Your IP address is stored on our web server for a maximum of 7 days for IT security purposes.

Insofar as you visit our portal in order to use it, the basis for the temporary storage and processing of access data is Art. 6 para. 1 sentence 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or for the performance of pre-contractual measures. In addition, Art. 6 para. 1 sentence 1 lit. f GDPR serves as the legal basis for the temporary storage of technical access data. Our legitimate interest here is to be able to provide you with a technically functioning and user-friendly portal and to ensure the security of our systems.

We use so-called “cookies” on our portal. Cookies are small text files that are stored on the hard drive of the terminal device you use to access our portal. Characteristic strings contained in the cookies can be used to identify the browser you are using when accessing our portal. Cookies cannot execute programs or transmit viruses to the terminal device you are using. They are used for making our portal more user-friendly, effective and secure and for enabling the provision of certain functionalities of our portal.

Cookies may contain data that enable recognition of the terminal device you are using. Some cookies only contain information about certain settings (e.g. language settings), which are not personally identifiable.

You can refuse the use of cookies and also erase cookies at any time by making the appropriate settings on your device:

• Most browsers are preset to accept cookies automatically. You can change this default setting by activating the “do not accept cookies” setting in your browser. For more information, contact your browser provider.
• Already stored cookies can be erased at any time. For more information about erasing cookies, contact your browser provider.
• Like the use of cookies, their rejection or erasure is tied to the device and browser used. You must therefore reject or erase cookies for each of your devices and, if you use multiple browsers, for each browser separately.

If you activate the “do not accept cookies” function in your browser, it is possible that not all functions of our portal or individual functions will only be available to you to a limited extent.

A distinction is made between so-called “session cookies”, which are erased as soon as you close your browser, and so-called “permanent cookies”, which are stored beyond the individual session and are only erased after a defined period of time.

We only use session cookies on our portal that are necessary for the operation of our portal (hereinafter “necessary cookies”) by enabling basic functionalities such as page navigation or access to secure areas of our portal.

Below you will find more information about the cookies used on our portal:

The legal basis for the storage of necessary cookies is Art. 25 para. 2 no. 2 TTDSG (German Telecommunications Telemedia Data Protection Act).

The use of our portal as a private customer requires prior registration. In connection with the registration for our portal, we process the personal data provided by you during the registration process:

• E-mail address
• Language

After registration, you have the option to voluntarily add additional information about your data subject to your profile (name, address, gender, height, weight).

The user account drafted after successful registration can be used both for using the portal and for using the app “Pendix.Bike PRO”.

The processing of the aforementioned data provided by you during the registration process is carried out for the purpose of implementing the user relationship established by the registration on the basis of Art. 6 para. 1 lit. b GDPR.

The data collected during the registration of the user account will be stored by us as long as you are registered as a user of our portal and will be subsequently erased. The legal retention periods remain unaffected.

As far as you want to use our portal as an owner/manager or as an employee of a retailer or as a fleet customer, an independent registration for the use of our portal is not possible. Rather, the personalised user accounts are created immediately by Pendix after notification of the desired account and role structure and the corresponding access data is transmitted. In this context, the following personal data are processed:

• Name
• Address
• E-mail address
• Phone number
• Business license
• Bank details

The processing of the aforementioned data shall be made for the purpose of implementing the user relationship on the basis of Art. 6 para. 1 lit. b GDPR.

We store the collected data as long as the user accounts are registered as users of our portal and subsequently erase them. The legal retention periods remain unaffected.

If you use the Pendix portal as a private customer, the following information about your Pendix eDrive will be made available to you within the portal:

• Information about your batteries (serial number, HMI firmware version, part number, BMS firmware version, BMS charge cycles, BMS RFCC, minimum cell voltage, maximum cell voltage, support)
• Information about your drives (serial number, firmware, model, wheel circumference, distance, firmware)

In order to provide the above information within the portal, a link between your user account and your Pendix eDrive is required. To establish the link, the use of our app “Pendix.bike PRO” is required. A separate registration for the use of the app is not required (see Point 5.3.1). For more information on the processing of your personal data when using our app “Pendix.bike PRO”, please refer to the data protection instructions of our app:

https://pendix.com/privacy-policy/app/en

If you contact us via the service telephone number provided within the portal, the content of your request, including all personal data resulting from it, insofar as it is relevant or required to answer your request, will be processed for the purpose of handling your request.

The processing of personal data provided by you in the context of your request shall be made on the basis of Art. 6 para. 1 lit. b GDPR, insofar as your request is related to the establishment or implementation of a contractual relationship. In all other cases, the processing is based on our legitimate interest in effectively handling the requests addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), where such consent has been obtained.

The data provided by you as part of the request will be stored by us until you request erasure, withdraw your consent to storage or the purpose for storing the data no longer applies (e.g. after processing your request has been completed). Mandatory legal provisions, in particular statutory retention periods, remain unaffected.

If you use our portal as an employee of a retailer or as the owner/managing director of a retailer, you have the option of submitting a service request to Pendix GmbH via the portal. In this connection with the service request you have submitted, we process the following data:

• Customer data (Pendix customer number, company, address, title, name, e-mail address, telephone number)
• Product data (affected component, date of purchase (optional), invoice copy (optional), error description, photos)

We process the personal data provided by you as part of the service request, as well as any supplementary personal data from the enclosed documents and photos, insofar as this is necessary for processing the service request you have submitted. The legal basis for this is Art. 6 para. 1 lit. b GDPR.

Furthermore, your personal data may be processed to the extent necessary to fulfill legal obligations (Art. 6 para. 1 lit. c GDPR) or to defend asserted legal claims (Art. 6 para. 1 lit. f GDPR). The legitimate interest results, among other things, from the obligation to provide evidence in connection with the defence of asserted legal claims.

The personal data provided as part of the service request will be stored by us until the purpose for storing the data no longer applies (e.g. after processing of your service request has been completed). Mandatory legal provisions, in particular statutory retention periods remain unaffected.

Our portal is hosted by an external service provider, Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen. The data collected when using our portal is stored on the servers of our hoster. This data includes, in particular, IP addresses, contact requests, meta and communication data, contact details, portal accesses and other data that is generated in the course of using the portal.

The use of our hoster is performed for the purpose of contract fulfilment towards our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our portal by a professional provider (Art. 6 para. 1 lit. f GDPR).

Our hoster will only process your data insofar as this is necessary for the fulfilment of its contractually assumed service obligations. For further information, please refer to the data protection declaration of Hetzner Online GmbH at:

https://www.hetzner.com/privacy-policy-notice

In order to ensure data protection-compliant processing, we have concluded an order processing agreement with the hoster we use.

We also process your personal data moreover to fulfil other legal obligations we may have in connection with our business. This includes, in particular, retention periods under commercial, trade or tax law. In doing so, we process your personal data pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR in order to fulfil a legal obligation to which we are subject.

We also process your personal data in order to be able to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data to the extent necessary to prevent or prosecute criminal offenses. We process your personal data in this context to protect our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal acts (legitimate interest).

Within our company, access to your data is granted to those departments that need it to fulfil our contractual and legal obligations. Service providers and vicarious agents used by us (e.g. technical service providers, shipping companies, waste disposal companies) may also receive data for these purposes. In this respect, we limit the transfer of your personal data to what is necessary, taking into account the data protection requirements. In some cases, the recipients receive your personal data as processors and are then strictly bound by our instructions when handling your personal data. In some cases, the recipients act independently under their own data protection responsibility and are also obliged to comply with the requirements of the GDPR and other data protection regulations.

Finally, in individual cases we transmit personal data to our consultants in legal or tax matters, whereby these recipients are obligated to special confidentiality and confidentiality due to their professional status.

We initially process and store your personal data for the duration of the respective purpose of use (see above for the individual processing purposes). This may also include the periods during which a contract is initiated (pre-contractual legal relationship) and during the performance of a contract. On this basis, personal data is regularly deleted as part of the fulfilment of our contractual and/or legal obligations, unless its temporary further processing is necessary for the following purposes:

• Fulfilment of legal obligations to retain data, which arise, for example, from the German Commercial Code (Art. 238, 257 para. 4 HGB) and the German Fiscal Code (Art. 147 para. 3, 4 AO). The periods specified there for storage and documentation are up to ten years.
• Preservation of evidence in compliance with the prescription rules. According to Art.194 et seq. of the German Civil Code (BGB), these prescription periods can be up to 30 years, with the regular prescription period being three years.

As a person affected by the processing, you are entitled to the following rights under the legal conditions:

You are entitled to request confirmation from us at any time within the scope of Art. 15 GDPR as to whether we are processing personal data relating to you; if this is the case, you are also entitled within the scope of Art. 15 GDPR to receive information about this personal data and certain other information (in particular, processing purposes, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of third country transfers, the appropriate safeguards) and a copy of your data. The restrictions of Art. 34 BDSG apply.

In accordance with Article 16 of the GDPR, you are entitled to demand that we correct personal data stored about you if it is inaccurate or incorrect.

You are entitled, under the conditions of Art. 17 GDPR, to demand that we erase personal data relating to you without delay. The right to erasure does not exist, among other things, if the processing of your personal data is necessary, e.g. to fulfil a legal obligation (e.g. legal retention obligations) or to assert, exercise or defend legal claims. In addition, the restrictions of Art. 35 BDSG apply.

You are entitled to demand that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.

You are entitled, under the conditions of Art. 20 GDPR, to demand that we hand over the personal data concerning you that you have provided to us in a structured, common and machine-readable format.

You can withdraw your consent to the processing of personal data at any time. This also applies to the withdrawal of declarations of consent given to us before the GDPR came into force, i.e. before May 25, 2018. Please observe that the withdrawal is only effective for the future. Processing that took place before the withdrawal is not affected by the withdrawal of consent. An informal communication, e.g. by e-mail to us, is sufficient to declare the withdrawal.

You are entitled to object to the processing of your personal data under the conditions of Art. 21 GDPR, so that we must stop processing your personal data. The right to object exists only within the limits provided for in Art. 21 GDPR. Moreover, our interests may conflict with the termination of the processing, so that we are entitled to process your personal data despite your objection. We will consider an objection to any direct marketing measures immediately and without further balancing of the existing interests.

Information about your right to object according to Art. 21 DSGVO

You have the right to object at any time to the processing of your data that is carried out on the basis of Art. 6 para. 1 lit. f GDPR (data processing on the basis of a balance of interests) or Art. 7 para. 1 sentence 1 lit. e GDPR (data processing in the public interest) if there are grounds for doing so that arise from your particular situation.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

The objection can be made form-free and should preferably be addressed to:

Pendix GmbH

Innere Schneeberger Straße 20

08056 Zwickau, Germany

E-mail: datenschutz@pendix.de