Privacy

The Studentenwerk Hannover processes personal data that is required to fulfill its statutory tasks.

Relevant personal data are personal details (including name, address and other contact details, date and place of birth and nationality).

In addition, this may also include data

• required around your student status,
• to fulfill our contractual obligations (e.g. data required for payment transactions),
• documentation (e.g. consultation protocol/contact form)
• among others.

We process personal data in accordance with the provisions

• of the EU General Data Protection Regulation (DSGVO),
• the Federal Data Protection Act (BDSG),
• the Lower Saxony Data Protection Act (as a public body of the state).

The lawfulness results

• on the basis of your consent or
• from the fulfillment of contractual obligations or
• due to legal requirements or
• within the framework of the balancing of interests / public interest.

Within the Studentenwerk Hannover, access to your data is granted to those offices that need it to fulfill our contractual and legal obligations. Service providers employed by us may also receive data for these purposes. These are, for example, companies in the categories of IT services and telecommunications.

As a matter of principle, we may only pass on data if this is required by law. Under these conditions, recipients of personal data may be, for example:

• Public bodies and institutions in the event of a legal or official obligation,
• Financial services institutions or comparable institutions to which we transfer personal data in order to carry out the business relationship with you,
• service providers that we use in the context of order processing relationships.

We process and store your personal data as long as this is necessary for the fulfillment of our contractual and legal obligations.

You have the following rights regarding the data stored by us:

• Information about your data stored by us and its processing(Art. 15 DSGVO),
• Correction of incorrect personal data(Art. 16 DSGVO),
• Deletion of your data stored by us(Art. 17 DSGVO),
• Restriction of data processing if we are not yet allowed to delete your data due to legal obligations(Art. 18 DSGVO),
• Objection to the processing of your data by us(Art. 21 DSGVO),
• Data portability, provided that you have consented to the data processing or have concluded a contract with us(Art. 20 DSGVO).

If you have given us consent, you can revoke this at any time with effect for the future.

In addition, you can file a complaint with a data protection supervisory authority at any time. A list of supervisory authorities with addresses can be found at:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

When you access our website, information of a general nature is automatically collected. This information (server log files) includes the type of web browser, the operating system used, the domain name of your Internet service provider and similar. This is exclusively information that does not allow any conclusions to be drawn about your person.

This information is technically necessary in order to correctly deliver the content of websites requested by you and is mandatory when using the Internet. In particular, it is processed for the following purposes:

• Ensuring a smooth connection setup of the website,
• Ensuring a smooth use of our website,
• evaluating system security and stability, and
• for other administrative purposes.

The processing of your personal data is based on our legitimate interest from the aforementioned purposes for data collection. We do not use your data to draw conclusions about your person. Recipients of the data are only the responsible body and, if applicable, order processors.

Anonymous information of this kind may be statistically evaluated by us in order to optimize our website and the technology behind it.

For the comment function on this page in the Mensa forum, in addition to your comment, information on the time of creation of the comment, your e-mail address and the username you have chosen will be stored. Our comment function stores the IP addresses of users who post comments. Since we do not check comments on our site before activating them, we need this data in order to be able to take action against the author in the event of legal violations, such as insults or propaganda. This serves our security, as we can be prosecuted for illegal content on our website, even if it was created by users.

If you contact us with questions of any kind by e-mail or contact form, you give us your voluntary consent for the purpose of contacting you. For this purpose, it is necessary to provide a valid e-mail address. This serves the assignment of the request and the subsequent response to the same. The provision of further data is optional.

We expressly point out that the delivery of this data to us is partially unencrypted. For this reason, we ask that you do not send us any special categories of personal data (e.g. health data) via the contact form; use secure channels such as the postal service for this purpose.

All incoming and all sent e-mails are recorded in our central e-mail archive and generally stored for 10 years. This storage serves to fulfill the legal obligations for proper record keeping. Although this archiving obligation only applies to e-mails with an accounting document function, it is not possible to systematically separate these from other e-mails. Access to archived e-mails is for the purpose of financial accounting and bookkeeping, and also to fulfill the statutory tasks of the Studentenwerk if the contents of e-mails are required for technical purposes.

This website uses Google Maps API to visually display geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions by visitors. You can find more information about the data processing by Google in the Google Privacy Policy(http://www.google.com/privacypolicy.html). There you can also change your personal privacy settings in the Privacy Center.

Detailed instructions on how to manage your own data in connection with Google products can be found at: http://www.dataliberation.org/.

We embed YouTube videos on some of our websites. The operator of the corresponding plugins is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit a page with the YouTube plugin, a connection to YouTube servers is established. This tells YouTube which pages you are visiting. If you are logged into your YouTube account, YouTube can assign your surfing behavior to you personally. You can prevent this by logging out of your YouTube account beforehand.

If a YouTube video is started, the provider uses cookies that collect information about user behavior.

If you have deactivated the storage of cookies for the Google ad program, you will not have to expect any such cookies when watching YouTube videos. However, YouTube also stores non-personal usage information in other cookies. If you want to prevent this, you must block the storage of cookies in the browser.

You can find more information on data protection at YouTube in the provider's data protection declaration at: https://www.google.de/intl/de/policies/privacy/.

We reserve the right to adapt this privacy policy so that it always complies with the current legal requirements or to implement changes to our services in the privacy policy, e.g. when introducing new services. The new privacy policy will then apply to your next visit.

If you have any questions about data protection, please send us an e-mail or contact the person responsible for data protection in our organization directly:

Tel. (05 11) 76-88 934 E-mail: datenschutz@studentenwerk-hannover.de.

This service (hereinafter referred to as "App") is provided by the Studentenwerk Hannover, Jägerstraße 5, 30167 Hannover, Germany, as the responsible party within the meaning of the EU General Data Protection Regulation (GDPR). Within the scope of the app, we enable you to retrieve and display information about the Studentenwerk's canteen offerings at various locations and to list and filter them according to the preferences you have entered.

With this privacy policy we inform you about the processing of personal data according to Art. 12 ff. DSGVO. Personal data means any information relating to an identified or identifiable natural person. In addition, we inform you about the legal basis for the processing of your data and, insofar as the processing is necessary to protect our legitimate interests, also about our legitimate interests and your rights.

Certain information is already processed automatically as soon as you use the app. We have listed exactly which personal data is processed for you below.

1.1 Information collected during the download process

When you download the app, certain required information is transmitted to the app store you have selected (e.g., Google Play or Apple App Store); in particular, the user name, the e-mail address, the customer number of your account, the time of the download, payment information, and the individual device identification number may be processed. The processing of this data is carried out exclusively by the respective App Store and is beyond our control.

1.2 Information that is collected automatically

You have the option to use the app anonymously at the beginning. In this case, no personal data is transmitted, so anyone who wants to remain anonymous can be. We value the freedom of anonymity very much, but this reduces the functionality of the app to a minimum. We have no influence on the storage of data by the provider.

If you do not use the app anonymously, a UserID (user identifier) is automatically created as part of your use of the app, which is required for full use of the app. However, the Studentenwerk has no knowledge of the person behind the UserID at any time. The legitimate interest pursuant to Art. 6 I lit. f DSGVO applies to the collection of the UserID in order to ensure the functionality and error-free operation of the app and to be able to offer a service that is in line with the market and interests.

The submitted ratings are collected on the basis of consent pursuant to Art. 6 I lit. a DSGVO. You must submit your rating by actively clicking the "Send Feedback" button or you will be actively asked in the app whether you want to submit this rating. The collection of the pseudonymized usage data is based on a legitimate interest pursuant to Art. 6 I f DSGVO in conjunction with. Recital 47 (direct marketing).

The following lists the other data to be collected that are necessary for the provision of the service in accordance with Art. 6 I b and f DSGVO.

• UserID - with the registration you receive an account with a user ID to which the data can be assigned. This is pseudonymization.
• AccountPassword - a password randomly generated by the app, which is used to authorize you and manage your account. Changing the password is possible after the fact.
• SelectedCanteen - Your selected canteens or cafeterias. So that the app will only send you reminders of dishes that are offered in your cafeteria.
• AccessToken - A server-generated token that you receive with your password to make it easier to authorize you.
• CreatedAt - The creation date of your account, so the app can track the growth of users.
• UpdatedAt - The last modification date of your account, so the app can track when changes were made.
• LastOnline - The date you last used the app, so we can delete your data after 1 year of non-use.
• FavoriteMeals - Your favorite meals. This allows the app to notify you when one of your favorite dishes is offered again, on the other hand, the app can customize the display of offers according to the most favorite dishes.
• MealRatings - Your ratings of the offered dishes. Based on these, the Mensa offer can be improved.
• Markings - Your allergens and markings of dishes that you either do not tolerate or do not like. This allows us to tailor your notifications to your eating habits, as well as tailor the Mensa experience to appeal to more guests.

Information about your device

• DeviceID - a server generated number for your device. Since there are people who have multiple devices, the app distinguishes between these registered devices. This number is associated with the following information: PushnotificationToken, DeviceOS, DeviceID and StreamViews.
• PushNotificationToken - A key generated by your AppStore provider, which allows the app to send push notifications (only if this is desired). For more information about this, see the section "Mobile app access rights".
• StreamViews - The menu items/areas of the app that you have accessed. This identifies which areas of the app are used most frequently. This helps to set the focus of improvement towards that. StreamViews are only transmitted with your explicit consent (to improve the app).
• DeviceOS - The operating system and version of your smartphone. This can be used to keep track of error crashes and devices under test.

For other purposes A transfer of your personal data to third parties for other purposes does not take place, unless you

• according to Art. 6 para. 1 p. 1 lit. a DSGVO you have given your explicit consent, as well as
• in case there is a legal obligation for the transfer according to Art. 6 para. 1 p. 1 lit. c DSGVO.

The app uses technology from Google Firebase. Firebase is part of the Google Cloud Platform and offers many services for developers, which you can view here: firebase.google.com/terms/ (https://firebase.google.com/terms/). Some Firebase services process personal data from you as an end user. This is necessary for the provision of Google services. You can find out which data is processed and for what purpose under the item dataprocessing information: firebase.google.com/support/privacy/ (https://firebase.google.com/support/privacy/). Google Firebase often uses "instance ID's" which, according to Google's information, are stored until the end user makes an API call to delete the ID. After that, the data is deleted from the live and backup system 180 days after the call. For more information, see: firebase.google.com/support/privacy/manage-iids (https://firebase.google.com/support/privacy/manage-iids). These Instance-ID's are determined, for example, to know to which device messages should be transmitted.

The Studentenwerk Hannover does not receive any personal data from Google Firebase and does not make any effort to personalize the data afterwards and only uses the data to analyze the usage behavior. No guarantee is given for the above-mentioned information by Google, it is only referred to the information provided. Google is entitled to change or delete this information at any time, to delete or change the URL (link to Google web pages) or to provide the information on another page.

Information of the third party provider: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001, or Google Analytics of Google Inc (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). User terms and conditions: firebase.google.com/terms/ (https://firebase.google.com/terms/) Overview of data protection: firebase.google.com/support/privacy/ (https://firebase.google.com/support/privacy/) as well as the data protection declaration: policies.google.com/privacy (https://policies.google.com/privacy) Furthermore, we use the following services from Google Firebase: Cloud Messaging

3.1 Cloud Messaging

Cloud messaging is used to send you push messages or in-app messages. In the process, a pseudonymized push reference is assigned to the end device, which serves as the target for the push messages or in-app messages. The push messages can be deactivated and reactivated at any time in the settings of the end device.

The app uses Google Maps to display the Mensa locations. Information about your location will only be stored on your device and will not be transmitted to the Studentenwerk Hannover at any time. You can read the terms of use of Google Maps here: www.google.com/intl/de_de/help/terms_maps/ (https://www.google.com/intl/de_de/help/terms_maps/).

Processing of your personal data for purposes other than those described will only take place if permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, you will be informed about these other purposes prior to further processing and you will be provided with all other relevant information.

In the app, the data is normally stored for up to 12 months. If you have not been active for longer than 12 months (i.e. you have not used the app) or you delete your account (via the app), all your attributable data will be automatically deleted or anonymized. In doing so, your personal data will be anonymized or deleted in the App as soon as it is no longer required for the purposes for which it was collected or used in accordance with the preceding paragraphs or to the extent that such data is no longer required for criminal prosecution or to secure, assert or enforce legal claims. After deletion of the user account, data will be automatically deleted for further use, unless according to Article 6 para. 1 p. 1 lit. c DSGVO due to tax and commercial storage and documentation obligations (from HGB, StGB or AO) are obliged to store for a longer period or you have consented to the storage beyond that according to Art. 6 para. 1 p. 1 lit. a DSGVO.

The ratings for dishes and other services, on the other hand, are not deleted, even if the app is uninstalled or this dish is no longer on the menu. The ratings do not contain any personal data other than the UserID, which is deleted or anonymized as mentioned above.

The UserID is used in our systems while the app is offered. Server logs are usually kept for as long as is necessary to analyze any errors. As a rule, this is 14 days.

You have the right to request information about the processed personal data concerning you in the scope of Art. 15 DSGVO at any time. For this purpose, you can send a request by mail or e-mail to the addresses below.

You have the right to request the immediate rectification of the personal data concerning you, should they be inaccurate. To do so, please contact us at the address below.

You have the right to request the deletion of the personal data concerning you under the conditions described in Art. 17 DSGVO. These conditions provide in particular for the right to erasure if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject. For the period of data storage, see also section 5 of this Privacy Policy.

To exercise your right to erasure, please contact us at the contact addresses below.

You have the right to request the restriction of processing in accordance with Art. 18 DSGVO. This right exists in particular if the accuracy of the personal data is disputed between, for the duration that the verification of the accuracy requires, as well as in the case that the user requests limited processing instead of erasure in the case of an existing right to erasure; furthermore, in the case that the data are no longer necessary for the purposes pursued, but the user needs them for the assertion, exercise or defense of legal claims, as well as if the successful exercise of an objection is still disputed. To exercise your right to restrict processing, please contact us at the contact addresses below.

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Art. 20 DSGVO. To exercise your right to data portability, please contact us at the contact addresses below.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out, inter alia, on the basis of Art. 6(1)(e) or (f) DSGVO, in accordance with Art. 21 DSGVO. processing of your personal data will cease unless compelling legitimate grounds for the processing can be demonstrated which override your interests, rights and freedoms, or if the processing is for the establishment, exercise or defense of legal claims.

You have the right to withdraw your consent to the respective data processing without giving reasons. This applies to processing after the time of revocation. The processing until then remains unaffected.

You are welcome to contact the data protection officer of the Studentenwerk (see below for contact details) in case of complaints. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority, the State Commissioner for Data Protection of Lower Saxony, Prinzenstraße 5, 30159 Hanover, Germany, phone: +49 511 120-4500, e-mail: poststelle@lfd.niedersachsen.de.

In order to optimize the user flow and to receive better and more suitable suggestions within the app, there is a recommendation system. A distinction is made between local and server-side suggestions. The server-side processing of own data only takes place if the item "Send statistics data" has been agreed to (this item can be deactivated again under "Settings"). General suggestions, which are user-independent, are still made. Personal data is only evaluated locally on the end device. For example, more suitable buildings can be suggested based on the user's location, or the nearest refectory can be displayed.

The recommendation system accesses the following data: Server-side:

• StreamView data (data about screens used).
• Non-sensitive user data that exists server-side (including preferred dining hall, favorite dishes, student body)

Endpoint device:

• Location

The application uses appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

The backend to the app is hosted by the German hoster ingenit GmbH & Co KG. Data sent from the app to the backend is stored on our server instance at the hoster. This is the data listed under 1.2. There is an order processing contract with ingenit GmbH & Co. KG.

If you have any questions or comments about the handling of your personal data, or if you would like to exercise the rights as a data subject set out in sections 6 and 7, please contact the data protection officer.

Studentenwerk Hannover Anstalt des öffentlichen Rechts Jägerstraße 5 30167 Hannover Phone: +49 511 76-88025 E-mail: datenschutz@studentenwerk-hannover.de Website: www.studentenwerk-hannover.de

We always keep this privacy policy up to date. Therefore, we reserve the right to change it from time to time and to update any changes in the collection, processing or use of your data. The current version of the privacy policy is always available under "Privacy" within the app.

Status: February 25, 2021