-
Privacy Policy for the Yomoko App
Last updated: June 2026
We are pleased that you use the Yomoko app. Below we inform you about how we process personal data when you use our app, our website and related digital services.
Personal data means any information relating to an identified or identifiable natural person.
This Privacy Notice applies to the Yomoko app, our website and related digital services, unless expressly stated otherwise below.
1. Controller
The controller responsible for data processing in connection with the Yomoko app is:
Yomoko UG (haftungsbeschränkt)
Straße der Jugend 18
14974 Ludwigsfelde
Germany
Email: office@yomoko.app
Telephone: +49 (0)151 67066845
2. General use of the app and technical data
When you download the app from an app store, certain data may be processed by the respective app store provider, for example user name, email address, customer number, time of download, device identifier or payment information. We generally have no influence over this processing. The privacy policies of the respective app store provider apply.
When you use our app, we process technical data that is necessary to provide the app, operate it securely and improve it technically. This may include in particular:
· date and time of access
· time zone information
· content, destination and type of request
· access status / HTTP status code
· amount of data transferred
· referrer / source of access, where technically transmitted
· IP address, where applicable shortened or anonymized
· device information, device identifiers and technical device parameters
· operating system, app version and system interface
· language settings
· browser or webview information, where such functions are used
· usage and log data
· technical request, connection and server data
· error, diagnostic and crash data
Where processing is necessary to provide the app and its functions, it is based on Art. 6(1)(b) GDPR. Where processing serves the security, stability, error analysis, prevention of misuse or technical improvement of our app, it is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.
If there are indications of unlawful, abusive or security-relevant use, we may subsequently review log data to the extent necessary to investigate the matter, secure our systems, prevent misuse or enforce our rights.
Where necessary for security, authentication, prevention of misuse, technical provision or the operation of individual app functions, technical identifiers may also be processed. These may include, in particular, device identifiers, installation IDs, push tokens, app instance IDs, session IDs and similar technical identifiers.
3. Age restriction and youth protection
The Yomoko app is intended for users aged 16 and over. Use by persons under 16 is not intended and is not permitted under our Terms of Use.
During registration, we ask for the date of birth and may technically restrict registration below the age limit. Secure age verification does not take place; users are required to provide accurate information.
Additional age-related restrictions, safety notices or participation terms may apply to individual functions, in particular location-based functions, ride recording, location-based game and community functions, crews, chats, public rankings, prize functions or community functions.
If we become aware that personal data is being processed contrary to the applicable age requirements, we may take appropriate measures, in particular restricting or deleting the user account and the associated data, unless statutory obligations or overriding legitimate interests prevent this.
4. Registration and user account
Registration is required to use certain functions of the app. As part of registration and use of a user account, the following data may be processed in particular:
· telephone number and/or email address
· user name
· date of birth
· profile information
· profile picture
· gender or voluntary profile information
· login and authentication data
· voluntarily provided content and settings
Processing is carried out for the creation, administration and provision of the user account and for the use of app functions on the basis of Art. 6(1)(b) GDPR.
Voluntary information can generally be amended or deleted by the user at any time, to the extent provided by the app and unless statutory obligations or legitimate reasons prevent this.
5. Content provided by users
Users may provide their own content within the app, for example texts, images, videos, profile information, messages, tours, routes, comments, ratings, community content or other information.
This content is processed in order to provide the relevant app functions, display user profiles, enable communication, operate community functions and make content available within the app.
Processing is based on Art. 6(1)(b) GDPR. Where content is processed for security, moderation, prevention of misuse or enforcement of our Terms of Use, this is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.
Please note that certain content may be visible to other users depending on the app function and settings, for example profile information, published tours, community posts, crew information or ranking information.
If users deliberately publish or share tours, routes, ride content or similar content with others, the information contained in it may be visible to other users depending on the function and settings. This may also include location-related information such as starting points, destinations, route courses, map areas, time information or related content.
6. Communication, chat and notifications
The app may provide functions for communication between users. In this context, message content, sender and recipient information, timestamps, read status, technical delivery data and notification settings may be processed.
Processing is carried out to provide the communication functions on the basis of Art. 6(1)(b) GDPR. Where we process data to prevent misuse, ensure security or analyze technical errors, this is based on Art. 6(1)(f) GDPR.
If you enable push notifications, we process the technical data required for this, in particular device or installation identifiers, push tokens and notification settings. Processing is generally based on your consent pursuant to Art. 6(1)(a) GDPR. You can disable push notifications at any time in the app or system settings.
Depending on the operating system, the Apple Push Notification service (APNs) by Apple and Firebase Cloud Messaging (FCM) by Google may be used to send push notifications. In this context, push tokens, device or installation identifiers, technical delivery data, notification settings and message content may be processed.
Push notifications may be used in particular to deliver technical notices, communication notifications, security information and, where enabled, function-related notices about tours, crews, group rides, game rounds, area status, results or comparable app functions.
Where push notifications are required for a function actively used by you, processing may additionally be based on Art. 6(1)(b) GDPR. Where they serve technical security, delivery or prevention of misuse, processing is based on Art. 6(1)(f) GDPR.
7. App permissions and consent
For individual functions, the app may need access to certain device functions or content. This may include, in particular, location, camera, photos or media, notifications or similar permissions.
Access only takes place if it is required for the respective function and the corresponding permission has been granted. You can revoke granted permissions at any time in the app or system settings. If a permission is disabled, the affected functions may not be usable or may only be usable to a limited extent.
Depending on the operating system and function, precise location data, background location or similar permissions may be required for location-based functions. This applies in particular to functions in which a ride is to be recorded while the app is running in the background or the screen is locked.
Where processing is based on your consent, you may revoke this consent at any time with effect for the future. The lawfulness of processing carried out before revocation remains unaffected.
8. Location data, map functions and ride recording
Our app uses location data to provide location-based functions. These may include in particular:
· displaying your own location on a map
· finding users, crews, tours, events or content nearby
· planning and displaying tours and routes
· recording rides
· displaying, storing and later showing recorded routes
· providing a ride history
· map-based community, crew or game functions
· calculating distances, areas, points, statistics or rankings
· security, error analysis, prevention of misuse and manipulation in ride, crew and game functions
Depending on the function used, precise GPS location data, approximate location data, timestamps, start and end time of a ride, distance traveled, distance, map areas, user ID, crew affiliation, movement information, points, statistics and ranking information may be processed.
The app may process location data selectively, for example to display users, crews, tours, events or content in your vicinity or to provide location-related map functions.
By contrast, continuous recording of location data for ride recording, group rides or location-based game and community functions only takes place if you actively start a corresponding function. During an actively started recording, location processing may continue even if the app is running in the background or the screen is locked. This is necessary so that a ride can also be recorded when the app is not continuously open in the foreground during the ride.
Continuous location processing for ride recording or location-based game and community functions does not take place outside actively started functions.
You can end an active recording at any time and revoke the location permission at any time in the app or system settings. Without location permission, certain functions of the app cannot be used or can only be used to a limited extent.
Processing of precise location data is generally based on your consent pursuant to Art. 6(1)(a) GDPR. Processing of ride, route, game status and result data is carried out to provide the respective app function used on the basis of Art. 6(1)(b) GDPR. Where data is processed for security, error analysis, fraud prevention, prevention of misuse or manipulation, this is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.
Where information is stored on or accessed from your terminal device in connection with the respective function and consent is required for this, this is carried out in accordance with the applicable provisions of the German Telecommunications Digital Services Data Protection Act (TDDDG).
9. Location-based game and community functions
Our app may provide location-based game, community and crew functions.
Location-based game and community functions are app functions in which real motorcycle rides can be linked to a digital map. Users or crews may, through real rides, collect points for virtual areas on a map, achieve area results or participate in map-based crew or community mechanics. Points, game status, crew results, area data, rankings or comparable community results may be calculated and displayed from the use of these functions.
If you actively use such a function or start a group ride or ride recording, location data may be processed continuously during the active ride. Continuous location processing begins when you actively start the ride, ride recording, group ride or game round and ends when you stop the recording or withdraw the required permission.
This may include, in particular, precise GPS coordinates, timestamps, movement data derived from location data, speed where technically available, start and end time of the ride, distance traveled, map areas, user ID, crew affiliation and game and result data derived from these data.
During an active ride, location data is processed and stored at regular technical intervals. This processing serves to record the route traveled, provide a ride history, calculate virtual areas or points, update game status, make results traceable, prevent manipulation, prevent misuse and ensure technical functionality.
If a function requires continuous recording, location processing may continue even if the app is running in the background or the screen is locked. This only takes place if the ride, ride recording or location-based game round has been actively started by you or is required for the function you have activated.
For the prevention of misuse and manipulation, location and movement data may also be used to check the plausibility of a ride or the spatial proximity of participants within a recording.
Permanent location processing outside actively used or actively started functions for ride recording or location-based game and community functions does not take place.
You can end an active recording at any time in the app and revoke the location permission at any time via the app or system settings. If the location permission is disabled, location-based functions such as ride recording or location-based game and community functions cannot be used or can only be used to a limited extent.
Crew, area, ranking and result data derived from location-based game and community functions may be displayed within the app and on the Yomoko website. This may include, in particular, crew names, crew size, point scores, rankings, controlled, ridden or earned areas and cartographic area displays. A regional assignment or approximate location information of a crew may be displayed where this is necessary for the display of the crew, area or ranking function.
Precise GPS raw data of individual users, complete individual route courses and permanent live locations of individual users are generally not publicly displayed on the website for this purpose.
The exact design may vary depending on the function, round, season or game mode. Processing only takes place to the extent required for the function actively used.
10. Visibility of location, ride, crew and result data
Other users do not automatically see your precise live location. Live locations are not shared with other users as a separate live-sharing function.
Depending on the function and your settings, however, certain location, ride, crew or result data may be visible. This may include, in particular, published or shared rides, route information, controlled map areas, points, crew results, ranking positions, completed rides, aggregated statistics or comparable game and community results.
Rankings, area results, crew results, points, placements or comparable result data may, depending on the function, be publicly visible within the app.
In addition, certain crew-related game and result data may also be published regularly on our Yomoko website. This may include, in particular, crew name, ranking, point score, crew size, regional assignment or approximate location information of the crew, controlled, ridden or earned areas and a map view. This map view may show at area or regional level which crews have ridden, controlled or earned which areas and what point score these crews have achieved.
Publication on the website serves to display the community, crew and game functions, to make game status, rankings and results from location-based game and community functions visible and to inform the community about current crew and area results.
Other crews, public rankings and the website generally show only the crew, area, ranking or result data intended for the respective function, not automatically precise GPS raw data, complete individual route courses or a permanent live location of individual users.
Within a crew, certain activity, route, contribution or result data may be visible depending on the function. Which data crew members or crew administrators can see in detail depends on the respective function, role and setting.
If you deliberately publish or share rides, routes or ride content with others, location-related information contained therein, such as starting points, destinations, route courses, map areas or time information, may become visible to other users.
Whether and which information is visible depends on the respective app function, the available settings and the type of participation.
11. Storage of location, ride and game information
Location, movement, route and ride data is stored to the extent necessary for the respective function, the ongoing recording, the display of recorded routes, the provision of a ride history, the calculation and display of areas, points or game status, the display of results, technical error analysis, security or prevention of misuse and manipulation.
In the case of ride recordings, group rides or location-based game and community functions, precise location data and route information may remain stored even after completion of a ride or game round. This may be necessary in particular to be able to display the recorded route later, provide a ride or route history, make game status and area results traceable, display area histories, prevent misuse or manipulation, analyze technical errors or provide the respective function.
Precise location and route data is therefore not automatically deleted immediately after points have been calculated, to the extent that it continues to be required for displaying the recorded route, the ride or route history, the traceability of game status, the assignment or display of areas, the community function or the prevention of misuse and manipulation.
Location, route, recording and movement data may be stored for the duration of the user account and, to the extent that it is assigned to crew results, area histories, rankings, game status, prevention of misuse or traceability of results, also beyond that.
Derived result data can be created from location, movement and route data, for example points, area status, crew results, rankings, statistics, area histories or season results. These derived data may be stored and displayed for a longer period to the extent necessary for the display of ongoing or completed rounds, the traceability of results, the community function, the area history, the prevention of misuse or the enforcement of our Terms of Use.
Crew-related result data, area data, rankings, point scores, crew size, crew name, regional assignment or approximate location information of the crew and cartographic displays of ridden, controlled or earned areas may also be stored after completion of individual rides, rounds or seasons and displayed within the app or on the Yomoko website to the extent necessary for the community, ranking, game, area or area history.
Deletion of individual rides or routes within the app may currently not be provided in all cases. However, users can request deletion of personal data via our support. Where data continues to be required for crew results, rankings, area histories, prevention of misuse or legal purposes, it may be continued in shortened, aggregated, anonymized or not directly user-related form, as applicable.
After deletion of a user account, personal profile data will be deleted or anonymized unless statutory obligations or overriding legitimate interests prevent this. Crew-related routes, scores, area results, rankings, point scores, crew sizes, website displays, area histories or game status may continue to be retained to the extent that they are part of the crew, game, community, ranking or area history. In this case, the direct link to the deleted user account will be removed or reduced where possible.
If a user is the last member of a crew and the crew is deleted, the data assigned to the crew may also be deleted, unless statutory obligations or legitimate interests prevent this.
Backups are retained for up to 7 days according to the current technical concept.
12. Data minimization and safeguards for location functions
We design location-based functions in such a way that only the data required for the respective function is processed.
Where possible and sufficient for the respective purpose, we use derived, shortened, aggregated or function-related data instead of precise location data. However, precise location and route data may be required where a function requires the later display of a recorded route, the provision of a ride history, the traceability of a ride, the calculation or display of game status, areas or points, the area history or the prevention of misuse and manipulation.
Access to location, ride and game information is granted only to persons or service providers to the extent necessary for operation, security, error analysis, prevention of misuse, prevention of manipulation or provision of the respective function.
13. Map, route and geodata services
We use map, route and geodata services to display maps, routes, areas and location-based functions. These may include, in particular, services from Mapbox, OpenStreetMap, Google Maps, Scenic or comparable services.
When map, route or geofunctions are used, technical data and location data may be processed, in particular IP address, device information, app and usage data, map sections, zoom levels, timestamps, search queries, route information, location data or interactions with the map.
Processing is carried out to provide the map, route and location-based app functions on the basis of Art. 6(1)(b) GDPR. Where precise location data is processed, this is generally based on your consent pursuant to Art. 6(1)(a) GDPR. Where processing serves security, error analysis or improvement of map functions, it is based on Art. 6(1)(f) GDPR.
Recipients of the data may, depending on the technical integration, include in particular:
· Mapbox, Inc., 740 15th Street NW, 5th Floor, Washington, DC 20005, USA
· Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland
· OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom, where directly integrated
· Scenic or providers affiliated with Scenic, where corresponding route or map services are integrated
· companies affiliated with the above providers and subprocessors
Processing may also take place outside the European Union or the European Economic Area. Where required, such transfer takes place on the basis of appropriate safeguards within the meaning of the GDPR, in particular adequacy decisions, the EU-US Data Privacy Framework, standard contractual clauses or other permissible transfer mechanisms.
For transfers to the United Kingdom, an adequacy decision by the European Commission may apply.
14. Hosting, backend, databases and infrastructure
We use hosting, storage, backend, database, security and content delivery services to operate the app, deliver content and technically provide our services.
These services enable, in particular, the provision of the app infrastructure, storage and delivery of content, images, files, map and app data, synchronization of data and secure and performant use of the app.
Depending on use, this may involve processing in particular IP address, device information, technical request and connection data, log data, user account and profile data, content, communication data, location data, ride and crew data, game status, ranking information and other app data.
Processing is carried out to provide and securely operate the app on the basis of Art. 6(1)(b) GDPR. Where processing serves technical security, stability, error analysis, prevention of misuse, prevention of manipulation, performance optimization or improvement of the app, it is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. Where precise location data is concerned, processing is generally based on your consent pursuant to Art. 6(1)(a) GDPR.
Recipients of the data may include, in particular, hosting, backend, database, storage, security and content delivery providers as well as their subprocessors.
We conclude data processing agreements with processors pursuant to Art. 28 GDPR where required.
Processing may also take place outside the European Union or the European Economic Area. Where required, such transfer takes place on the basis of appropriate safeguards within the meaning of the GDPR, in particular adequacy decisions, the EU-US Data Privacy Framework, standard contractual clauses or other permissible transfer mechanisms.
15. Backend and database services: Supabase
We use the backend and database service Supabase to provide our app infrastructure, user management and secure storage and synchronization of app data.
The provider is SUPABASE PTE. LTD., 65 Chulia Street #38-02/03, OCBC Centre, Singapore 049513, Singapore.
Depending on use, user account, profile, content, communication, crew, ride, location, route, game status, ranking, log and technical usage data may be processed via this infrastructure. This may include, in particular, IP address, login data, authentication data, stored routes, ride histories, app activities, location data, game status, area status and technical log data.
Processing is carried out to provide the app and its functions, in particular user management, storage, synchronization, ride history, game functions and secure app infrastructure, on the basis of Art. 6(1)(b) GDPR. Where processing serves technical security, high availability, performance, error analysis, prevention of misuse, prevention of manipulation or improvement of the app, it is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. Where precise location data is concerned, processing is generally based on your consent pursuant to Art. 6(1)(a) GDPR.
Recipients of the data may include, in particular, Supabase, companies affiliated with Supabase and their subprocessors.
We have concluded a data processing agreement with Supabase pursuant to Art. 28 GDPR.
According to our current technical configuration, primary data storage takes place in a region within the European Union. Processing by Supabase or its subprocessors outside the European Union or the European Economic Area may nevertheless take place to the extent necessary for operation, support, security or provision of the service and legally permissible under data protection law.
As Supabase is established in Singapore and data transfers may take place to countries outside the European Union or the European Economic Area for which no adequacy decision of the European Commission exists, such transfers are made only on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular on the basis of standard contractual clauses of the European Commission pursuant to Art. 46 GDPR and, where required, additional safeguards.
16. Firebase and Google services
We use Firebase and Google services, in particular for authentication, cloud storage, database functions, server functions, push notifications, error analysis, usage analysis, map functions or individual app functions.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland.
Depending on the service used, user, device, usage, content, communication, location, route, error and technical data may be processed.
Processing is carried out depending on the service and purpose on the basis of Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR and, where consent is required, Art. 6(1)(a) GDPR.
Recipients of the data may include, in particular, Google Ireland Limited, Google LLC, Alphabet Inc. and subprocessors.
We have concluded data processing agreements with Google where required.
Processing may also take place outside the European Union or the European Economic Area, in particular in the USA. Where required, such transfer takes place on the basis of appropriate safeguards within the meaning of the GDPR, in particular adequacy decisions, the EU-US Data Privacy Framework, standard contractual clauses or other permissible transfer mechanisms.
The Firebase and Google services used may include in particular:
Firebase Authentication
Firebase Authentication is used for registration, login and authentication of users within the app.
In particular, email address, telephone number, password or authentication information, user agent, IP address, device information, technical identifiers and login data may be processed.
Processing is based on Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.
Firebase Firestore
Firebase Firestore serves as a database for storing, synchronizing and providing app data.
In particular, IP address, user agent, usage data, technical data and, depending on use, user account, profile, content, communication, location, route, ride, crew, game status and ranking data may be processed.
Processing is based on Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR and, where precise location data or data requiring consent is concerned, Art. 6(1)(a) GDPR.
Firebase Cloud Functions
Firebase Cloud Functions is used to execute server-side functions required for the operation of individual app functions.
In particular, IP address, technical request and connection data, log data and, depending on the function, user, content, communication, location, route, ride, crew, game status or ranking data may be processed.
Processing is based on Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR and, where data requiring consent is concerned, Art. 6(1)(a) GDPR.
Firebase Cloud Storage
Firebase Cloud Storage is used to store and provide app content, images, files, media or other user-generated content.
In particular, accessed content, uploaded content, files, images, videos, technical access data, IP address, device information, access method, timestamps and usage data may be processed.
Processing is based on Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR and, where consent is required, Art. 6(1)(a) GDPR.
Firebase Cloud Messaging
Firebase Cloud Messaging is used to send and deliver push notifications and technical messages.
In particular, push tokens, installation ID, device information, technical identifiers, notification settings, message content, delivery and usage data may be processed.
Processing is based on Art. 6(1)(a) GDPR where push notifications are based on your consent, Art. 6(1)(b) GDPR where notifications are required for a function used by you, and Art. 6(1)(f) GDPR for security, technical delivery and prevention of misuse.
Firebase Crashlytics
Firebase Crashlytics is used to record and evaluate crash and error reports.
In particular, error data, crash data, unique identifiers, device information, operating system, app version, IP address and technical usage data may be processed.
Processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR in the security, stability, error correction and improvement of the app. Where consent is required, processing is based on Art. 6(1)(a) GDPR.
Google Analytics for Firebase
Google Analytics for Firebase is used to analyze app usage, improve functions and measure reach or interactions.
In particular, identifiers, usage data, session duration, IP address, geographic location, operating system, device information, app updates, time of first visit, viewed content, interactions and technical event data may be processed.
Processing is based on Art. 6(1)(a) GDPR where consent is required, and Art. 6(1)(f) GDPR to the extent that consent-free, data protection-compliant reach measurement or technical analysis is permissible.
Google Maps
Google Maps may be used to display maps, places, routes or location-related information.
In particular, date and time of access, location data, IP address, URL, usage data, search terms, geographic location, device information and technical access data may be processed.
Processing is based on Art. 6(1)(b) GDPR to the extent that map functions are required to provide the app, Art. 6(1)(a) GDPR to the extent that precise location data or map services requiring consent are concerned, and Art. 6(1)(f) GDPR for security, stability and improvement of map functions.
Google Gemini
Google Gemini may be used to provide AI-assisted functions within the app.
In particular, texts or content actively provided by the user, tour descriptions, tour titles, information about motorcycles or other contextual information required for the respective function may be processed.
Processing is based on Art. 6(1)(b) GDPR to provide the respective function, Art. 6(1)(a) GDPR where consent is required, and Art. 6(1)(f) GDPR for security, error analysis and prevention of misuse.
Use only takes place if you actively use the respective AI function. There is no automated decision-making with legal effect or similarly significant adverse effect within the meaning of Art. 22 GDPR.
17. Cloudflare
We may use Cloudflare to provide our website, interfaces, content or technical infrastructure securely and efficiently.
The provider is Cloudflare, Inc., USA.
Cloudflare may be used in particular for content delivery, DNS, security functions, protection against misuse and attacks, performance optimization and technical provision.
In this context, IP address, technical request and connection data, header information, device and browser information, timestamps, security events and log data may be processed.
Processing is based on Art. 6(1)(f) GDPR on the basis of our legitimate interest in the security, stability and performant provision of our services and Art. 6(1)(b) GDPR where processing is necessary to provide our services.
Processing outside the EU/EEA, in particular in the USA, may take place where the requirements of Art. 44 et seq. GDPR are met.
18. RevenueCat, app stores, payments and in-app purchases
Where paid functions, in-app purchases, subscriptions, CrewCoins, premium functions or other digital services are offered in the app, payment processing is generally carried out via the respective app store provider or payment service provider.
We use RevenueCat to manage in-app purchases, subscriptions, digital entitlements, purchase status, entitlements, transaction information and technical purchase validation.
The provider is RevenueCat, Inc., USA.
Depending on use, app user ID, device or installation identifiers, product ID, transaction information, purchase and subscription status, entitlement information, technical usage data and store-related information may be processed.
As a rule, we do not receive complete payment data such as credit card numbers. Processing by the respective app store provider or payment service provider is carried out in accordance with its own privacy policies.
Processing is based on Art. 6(1)(b) GDPR for the provision, management and billing of paid functions and Art. 6(1)(f) GDPR for security, fraud prevention, technical verification and prevention of misuse. Where statutory retention obligations apply, processing is based on Art. 6(1)(c) GDPR.
Processing outside the EU/EEA, in particular in the USA, may take place where the requirements of Art. 44 et seq. GDPR are met.
19. Consent management
We use a consent management tool to manage, store and document consents and privacy settings.
The provider may in particular be Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, or a comparable consent management provider.
In particular, consent status, opt-in/opt-out data, timestamps, consent ID, consent type, template version, banner language, user agent, device and browser information, technical IDs, IP address, geographic location and user settings may be processed.
Processing is based on Art. 6(1)(c) GDPR where processing is necessary to comply with legal obligations, and on Art. 6(1)(f) GDPR to the extent that processing serves our legitimate interest in legally compliant documentation of consents.
Where information is stored on or accessed from your terminal device for this purpose, this is carried out in accordance with the provisions of the TDDDG.
20. AI-assisted functions
The app may provide AI-assisted functions, for example to support the creation, improvement or structuring of texts, tour descriptions, content or other inputs.
If you actively use such a function, the content you provide and the contextual information required for the function may be processed. This may include, in particular, texts, descriptions, titles, profile or content information and technical usage data.
Processing is carried out to provide the respective AI function on the basis of Art. 6(1)(b) GDPR. Where the function is used voluntarily and consent is required, processing is based on Art. 6(1)(a) GDPR. Where data is processed for security, error analysis and improvement of the function, this is based on Art. 6(1)(f) GDPR.
There is no automated decision-making with legal effect or similarly significant adverse effect within the meaning of Art. 22 GDPR.
21. Game status, points, rankings and possible prizes
The app may automatically calculate points, game status, rankings, area status or comparable results on the basis of the use of certain functions. These calculations serve to provide gamified community functions.
Where rankings, winners, placements or comparable results are determined as part of gamified functions, this is carried out on the basis of the respective participation terms and the results achieved within the function.
Automatically calculated points, rankings or area status may form the basis for displaying game status or determining winners.
Crew-related results, rankings, point scores, crew sizes, regional assignments or approximate location information of crews, area results and cartographic area displays may be published within the app and on the Yomoko website where this is necessary for the display of location-based game and community functions, community results, the ranking function, the area history or the game history. The display generally takes place at crew, area or regional level and not as publication of precise GPS raw data of individual users.
Where prizes, digital rewards, CrewCoins, boosters, vouchers, physical prizes or comparable benefits are provided, game status, rankings, participation information, user account and contact data may be processed in order to determine winners, provide prizes, prevent misuse and process the respective campaign.
Where legally or factually necessary, we reserve the right to carry out a manual review, in particular to prevent misuse, manipulation or fraud.
There is no automated decision-making with legal effect or similarly significant adverse effect within the meaning of Art. 22 GDPR.
Details may be set out in separate participation terms.
22. Analytics, advertising, Advertising Identifier and partner offers
We may process usage data to analyze and improve the app, fix errors, measure reach, optimize functions and provide offers within the app.
Where necessary and legally permissible for analytics, advertising, reach measurement or partner functions, device-related advertising or analytics identifiers may be processed. These may include, in particular, the Advertising Identifier of Apple devices, e.g. IDFA, the Google Advertising ID or comparable temporary device identifiers.
These identifiers may be used to evaluate the use of the app, measure reach, prevent fraud, display advertising or partner offers or measure their success.
Such identifiers are processed only to the extent permitted under app store requirements, the user's system settings and applicable data protection requirements. Where consent is required, processing is based on Art. 6(1)(a) GDPR. Where processing is necessary and permissible without consent for security, fraud prevention, technical measurement or prevention of misuse, it is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.
Users can change, restrict, revoke or reset tracking and advertising settings or corresponding identifiers in the device or system settings. If tracking is disabled, certain analytics, advertising or personalization functions may be limited; basic functions such as technical security, error analysis or fraud prevention may remain possible.
Where partner offers, vouchers, benefit areas, advertising or similar content are displayed, technical usage data, interaction data and, where applicable, pseudonymized or aggregated analyses may be processed for this purpose.
Personal data is transferred to partners only if this is necessary to provide the respective offer, you have expressly consented or another legal basis exists.
23. Cookies, local storage and similar technologies
In order to make our app and website user-friendly, operate them securely and provide certain functions, we may use cookies, local storage, device identifiers, app instance IDs, session IDs or comparable technologies.
Some of the cookies or comparable technologies we use are automatically deleted after use ends. Others remain on your device for a certain period of time in order to recognize settings, logins, consents or other functions when you use the app again.
Where cookies or comparable technologies are used, certain information may be processed depending on the function, in particular IP address, device information, browser or webview data, language settings, usage data, location data, technical identifiers, consent settings and timestamps.
Cookies and comparable technologies may in particular serve to store settings, document consents, enable logins, ensure security, provide app functions, analyze errors, measure use or improve usability of the app.
Where information is stored on or accessed from the terminal device, this is carried out in accordance with the applicable statutory provisions, in particular the TDDDG where applicable. Technically necessary storage or access may be permissible without consent. Non-essential storage or access only takes place where consent is required and has been given.
Processing of personal data is carried out depending on the purpose on the basis of Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR, Art. 6(1)(f) GDPR or on the basis of your consent pursuant to Art. 6(1)(a) GDPR.
You can change corresponding settings in the app, operating system or browser. Please note that this may result in restrictions on the use of individual functions.
24. Contact and support
If you contact us, for example by email, contact form or via an app function, we process the data you provide to handle your request. This may include, in particular, name, email address, message, technical metadata and other information provided by you.
This also applies if you exercise rights to access, deletion, data export or other data protection rights.
Processing is based on Art. 6(1)(f) GDPR. If your request is aimed at concluding or performing a contract or is necessary to process a user account, processing is additionally based on Art. 6(1)(b) GDPR. Where we are legally obliged to process the request, processing is based on Art. 6(1)(c) GDPR.
25. Recipients of data
Personal data may be transferred to the following categories of recipients to the extent necessary for the respective purposes:
· technical service providers for hosting, content delivery, backend, databases and storage
· providers of map, location, route and geodata services
· authentication, communication and push notification service providers
· analytics, error diagnosis and security service providers
· consent management service providers
· payment, app store and in-app purchase service providers
· partners or providers of benefit offers, to the extent necessary for an offer or where you have consented
· authorities, courts or other bodies, to the extent we are legally obliged to do so or need to protect our rights
We conclude data processing agreements with processors pursuant to Art. 28 GDPR where required.
26. Third-country transfers
Some of the service providers we use may also process personal data outside the European Union or the European Economic Area, in particular in the USA, Singapore, the United Kingdom or other third countries.
Such transfer takes place only if the requirements of Art. 44 et seq. GDPR are met, for example on the basis of an adequacy decision, the EU-US Data Privacy Framework, standard contractual clauses of the European Commission, additional safeguards or another permissible legal basis.
27. Retention period
We store personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations.
Account data is generally stored for the duration of the user account. Content and app data are stored as long as they are required for the respective function, display within the app or administration of the user account.
Location, recording, route and movement data are stored for as long as necessary for the respective function, analysis, display, provision of a ride history, security, prevention of misuse, prevention of manipulation or traceability.
Precise location and route data may also remain stored after completion of a ride or game round to the extent necessary to display the recorded route later, provide ride or route histories, make game status traceable or prevent misuse and manipulation.
Derived function data, for example points, crew results, rankings, area status, area histories, statistics or season results, may be stored and displayed for a longer period where this is necessary for the respective function, traceability of ongoing or completed results, community display, ranking function or area history.
Crew-related result data, rankings, point scores, crew sizes, regional assignments or approximate location information of crews, area results and cartographic area displays may be published and stored within the app and on the Yomoko website for as long as necessary for the display of the community, crew, ranking, game, area or area history. The display generally takes place at crew, area or regional level and not as publication of precise GPS raw data of individual users.
Security, error and misuse logs may be stored for as long as necessary for technical security, error analysis, prevention of fraud or manipulation or the establishment, exercise or defense of legal claims.
When personal data is no longer required for the respective purposes, it will be deleted, anonymized, aggregated or further processed in a form that no longer allows direct identification, unless statutory retention obligations, legitimate interests or technical reasons prevent this.
After deletion of a user account, personal data will be deleted or anonymized unless statutory retention obligations, legitimate interests or technical reasons prevent immediate deletion.
Publicly provided content or already completed community, crew, game or ranking results may continue to be displayed where necessary, but where possible without direct assignment to the deleted user account.
Backups are retained for up to 7 days according to the current technical concept.
28. Data security
We take appropriate technical and organizational measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration or destruction.
These include, in particular, access restrictions, technical security measures, authorization concepts and ongoing review of the systems used.
29. Rights of data subjects
You have the following rights in accordance with the statutory provisions:
· right of access pursuant to Art. 15 GDPR
· right to rectification pursuant to Art. 16 GDPR
· right to erasure pursuant to Art. 17 GDPR
· right to restriction of processing pursuant to Art. 18 GDPR
· right to notification pursuant to Art. 19 GDPR
· right to data portability pursuant to Art. 20 GDPR
· right to withdraw consent given pursuant to Art. 7(3) GDPR
· right to object pursuant to Art. 21 GDPR
· right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR
If you have given consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected.
To exercise your rights, you can contact us using the contact details provided above.
30. Right to object
If we process personal data on the basis of Art. 6(1)(f) GDPR, you may object to this processing at any time on grounds relating to your particular situation.
We will then no longer process the data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
If we process personal data for direct marketing purposes, you may object to this processing at any time. In this case, we will no longer use the data for direct marketing.
31. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.
The competent authority may in particular be the data protection supervisory authority of your place of residence, your workplace, the place of the alleged infringement or our registered office.
32. Changes to this Privacy Notice
We may amend this Privacy Notice if our app, our functions, services used or legal requirements change.
The current version is available in the app or on our website.
