Privacy Policy

For the UDE Shuttle service and the associated applications

The UDE Shuttle service allows you to book rides on the University of Duisburg-Essen's shuttle bus. To provide this function, the service collects and processes your data. In addition to general usage data, this also includes personal data, such as your email address, your booked rides, and information about the mobile devices you use to access the service.

In this privacy policy, we describe which data is collected, for what reason, and how the collected data is used. Furthermore, we inform you about various choices you have when using the service and describe their impact on data collection, processing, and storage.

Version and Change History

Version 1 – Created on August 4, 2025

Responsible Party and Contact

The responsible party within the meaning of the General Data Protection Regulation (GDPR) §4(7) is the Chair of Networked Embedded Systems at the University of Duisburg-Essen. If you have any questions or comments regarding this declaration, please contact us at:

University of Duisburg-Essen
Networked Embedded Systems
Dr. Marcus Handte

Schützenbahn 70
45127 Essen

Phone: +49-201-183-2803
Email: marcus.handte@uni-due.de

What data is collected and for what purpose?

1. Data you provide us: This includes your email address and information about your current and future bookings. The processing of this data is necessary for the implementation of the respective functions of the service and is carried out on the basis of GDPR §6(a) with your consent.
2. Data on the use of the service: Both the web application and the mobile application communicate with the service via the HTTPS protocol. With each interaction, we store the connection and request data, such as the time of the request, the current IP address of the requester, the retrieved URL and the parameters contained in the request, as well as the duration and results of the request. The purpose of this collection is the (possibly subsequent) detection, analysis, and combating of attacks by automated mechanisms, as well as the correction of program errors and the improvement of the function and performance of the service and the applications. Accordingly, the collection is based on legitimate interest in accordance with GDPR §6(f).
3. Data about your mobile device: When you use the mobile application on your mobile device for the first time, your device is automatically registered. During registration, we collect and store the device model. The purpose of the collection is to correct device-specific errors, as well as to improve the functionality and performance of the service and applications. Accordingly, the collection is based on legitimate interest pursuant to GDPR Section 6(f).
   In order to be able to clearly identify your mobile device at a later date and to protect access to your own data (access control), we assign a random but unique number and an associated cryptographic key to each device during registration. The number and key are then sent to the service with every request from the device. This prevents another device from changing your data. This identification is necessary for the implementation of the service and is carried out on the basis of GDPR Section 6(a) with your consent.
   In addition, as part of some requests, we transmit the version of the mobile application you have installed on your device. The purpose of this collection is to correct errors in the mobile applications and within the service implementation, as well as to perform statistical analysis of the versions of the mobile applications used. For this reason, the collection is based on GDPR §6(f).

Where is the data stored and processed?

The data is currently stored and processed exclusively on servers in Germany at the University of Duisburg-Essen.

To whom is the data shared?

1. University of Duisburg-Essen: The University of Duisburg-Essen is the operator of the service and applications. The University of Duisburg-Essen processes the data to operate the service and provide the applications. Processing is carried out on the basis of GDPR §6(a) with your consent.
2. Public authorities: If we are legally obliged (e.g., by a valid court order) to release data to an authorized body, we will transfer your data to such a body and inform you (if this is legally and technically possible) of the release.

How long is the data stored?

The storage period depends on the type and use of the data. Data relating to the use of the service is usually overwritten after a few days through regular rotation. This time may be increased in individual cases (e.g., when analyzing past attacks).

We store your account data (email address, bookings, device information) as long as you access the service. If you don't access it for 90 days, we anonymize the data and delete your account, so that it can no longer be associated with you. Please note that in this case, you will also no longer be able to access your bookings.

Regardless of the type of data, we try to keep the storage period short. However, we strive to operate the service in a way that protects all users' data from system failures and deliberate damage by third parties. Therefore, we use regular backups. Due to these measures, it may happen that unused data or data authorized for deletion is not immediately deleted from our computer and backup systems.

What rights can be asserted?

Your rights are described in detail in Chapter 3 of the GDPR, and the rights to which you are entitled are not affected by this privacy policy. Your rights include, among others:

• Right to confirmation and information (GDPR §15), right to rectification (GDPR §16), and right to erasure (GDPR §17): You have, at any time within the framework of the applicable legal provisions, the right to free information about your stored personal data, the origin of the data, its recipients, and the purpose of data processing, and, if applicable, a right to rectification, blocking, or erasure of this data. Please contact the aforementioned controller in this regard.
• Right to restriction of processing (GDPR §18), right to object to processing (GDPR §21), and right to withdraw consent under data protection law (GDPR §7): Some data processing operations are only possible with your express consent. Revocation of consent already granted is possible at any time. An informal notification by email is sufficient for revocation. However, the legality of the data processing carried out up to the time of revocation remains unaffected by the revocation.
• Right to data portability (GDPR §20): You have the right to have data that we process automatically handed over to you or to third parties. The data will be provided in a machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if this is technically feasible.
• Right to lodge a complaint with a supervisory authority (GDPR §77): As a data subject, you have the right to lodge a complaint with the competent supervisory authority in the event of a data protection violation. The competent supervisory authority for data protection issues is the State Data Protection Commissioner of the Federal State of North Rhine-Westphalia. You can find the contact details of the data protection officer here. If you have any questions, concerns, or requests for information, please contact the previously mentioned controller (Dr. Marcus Handte).

Information on Online Dispute Resolution

The EU Commission provides an internet platform for online dispute resolution (so-called "ODR platform") in accordance with Art. 14 (1) of the ODR Regulation (EU Regulation No. 524/2013). The ODR platform serves as a contact point for out-of-court dispute resolution. You can access the ODR platform via this link.