Privacy Policy for the App

In this policy (hereinafter “Privacy Policy”), you will learn how your data is processed and what rights of privacy you have when you use FlixBus: Bus travel through Europe App (hereinafter also referred to as the “App”) by FlixBus.

You can find further legal information here:

Terms and conditions of booking (TCB)
Terms and conditions of carriage (TCC)

1.    Name and address of the controller

The controller of the processing of your personal data (Art. 4(7) GDPR) is:
Flix SE
Friedenheimer Brücke 16
80639 Munich, Germany
Telephone: +49 (0)30 300 137 300
Email: service@flixbus.de 
Further information about our company can be found in the legal notice

2.    Contact details of the data protection officer

Our company data protection officer is available to you at any time to answer all your questions and as a contact person on the subject of data protection:
Flix SE
Friedenheimer Brücke 16
80639 Munich, Germany
Email: data.protection@flixbus.com
For general questions about FlixBus, please contact service@flixbus.de.

3.    Legal basis of data processing 

The processing of personal data is permitted if at least one legal basis listed below is complied with:

  • Art. 6 para. 1(a) GDPR: the data subject has given his/her consent to the processing of the personal data concerning him/her for one or more specific purposes;
  • Art. 6 para. 1(b) GDPR: the processing is necessary for the performance of a contract to which the data subject is a contracting party, or for the implementation of pre-contractual measures which are carried out at the request of the data subject;
  • Art. 6 para. 1(c) GDPR: the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a statutory retention obligation);
  • Art. 6 para. 1(d) GDPR: the processing is necessary to safeguard the vital interests of the data subject or another natural person;
  • Art. 6 para. 1(e) GDPR: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
  • Art. 6 para. 1(f) GDPR: the processing is necessary to safeguard the legitimate interests pursued by the controller or a third party, unless the opposing interests or rights of the data subject prevail (in particular where the data subject is a child). 

For processing carried out by us, we specify the applicable legal basis under Clause 12. Processing can also be based on more than one legal basis.

4.    Categories of recipients

Under certain conditions, we transmit your personal data to our subsidiary companies, or personal data from our subsidiary companies is transferred to us, to the extent that is permissible.

As with any major company, we also use external domestic and foreign service providers to handle our business transactions and work with partner companies at home and abroad. These include, for example:

  • carriers (you can find an overview of the current carriers here)
  • (IT) service providers
  • financial institutions and payment service providers
  • sales partners
  • customer service providers (internal/external)
  • shop operators
  • security companies
  • (travel) insurers
  • other partners engaged for our business operations (e.g., auditors, banks, insurance companies, lawyers, supervisory authorities, other parties participating in company acquisitions)

The service providers and partner companies must provide guarantees that suitable technical and organizational measures are implemented by them in such a way that the processing meets legal requirements and the rights of the data subjects are safeguarded.

We transmit personal data to public bodies and institutions (e.g., police, public prosecutor’s office, supervisory authorities) if there is a corresponding obligation/authorization.

For processing carried out by us, we specify the categories of the data recipients under Clause 12.

5.    Requirements for the transfer of personal data to third countries

As part of our business relationships, your personal data may be shared with or disclosed to third parties, who may also be located outside the European Economic Area (EEA), i.e., in third countries. 

Insofar as it is necessary, we will inform about the respective particulars of the transfer to third countries in connection with the processing carried out by us. 

The European Commission certifies that some third countries have data protection that is comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be downloaded from: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). 

However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection by reason of a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. 

This is possible, for example, via binding company regulations (referred to as “binding corporate rules”), standard contractual clauses of the European Commission for the protection of personal data, certificates and recognized codes of conduct.

Insofar as it is necessary for your booking and the associated providing and processing of transport services, the transmission of personal data required for this to third countries is permitted in accordance with Art. 49 para. 1(b) GDPR.

Please contact our data protection officer if you would like more detailed information on this topic.

6.    Storage period and data deletion

The storage period of the personal data collected depends on the purpose for which we process the data. The data will be stored for as long as this is necessary to achieve the intended purpose. 

In the case of processing carried out by us, we specify how long the data will be stored by us. If no explicit storage period is specified below, your personal data will be erased or blocked as soon as the purpose or legal basis for the storage no longer applies. 

However, storage can take place beyond the specified time in the event of a(n) (imminent) legal dispute with you, or if other legal proceedings are initiated, or if storage is stipulated by statutory provisions to which we as the controller are subject. If the storage period prescribed by statutory provisions expires, the personal data will be blocked or erased unless further storage by us is required and there is a legal basis for this

7.    Automated decision making (including profiling)

We do not intend to use any personal data collected from you for any processes involving automated decision-making (including profiling). If we wish to implement these procedures, we will inform you of this separately in accordance with legal provisions.

8.    No obligation to provide personal data

We do not fundamentally make the conclusion of contracts with us dependent on you providing us with personal data beforehand. In principle, there is also no statutory or contractual obligation to provide us with your personal data; however, we may only be able to provide certain offers to a limited extent, or not at all, if you do not provide the data required for this. 

9.    Statutory duty to transmit certain data

Under certain circumstances, we may be subject to a special statutory or legal obligation to provide personal data to third parties, in particular public bodies.

10.    Data security

We use suitable technical and organizational measures to safeguard your data against accidental or intentional manipulation, partial or complete loss or destruction, or against unauthorized access by third parties, taking into consideration the latest technology, the implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including the probability and effect of such an event) for the data subject. Our security measures are continuously being improved to take into account technological developments.

We will be happy to provide you with further information about this upon request. Please contact our data protection officer or our CISO (chief information security officer) in this regard.

His contact details are:
Flix SE
Friedenheimer Brücke 16
80639 Munich, Germany
Email: it-security@flixbus.com

11.    Your rights

You may assert your rights as a data subject regarding your personal data at any time, in particular by contacting us using the contact details provided in Clause 1. Data subjects have the following rights under the GDPR:

Right to information
You can request information in accordance with Art. 15 GDPR about your personal data processed by us. In your request for information, you should clarify your concern to make it easier for us to compile the necessary data. Upon request, we will provide you with a copy of the data that are the subject matter of the processing. Please note that your right to information may be limited under certain circumstances in accordance with statutory provisions.

Right to rectification
If the information relating to you is not (any longer) correct, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request completion.

Right to erasure
You may request the erasure of your personal data in accordance with the provisions of Art. 17 GDPR. Your right to erasure depends, among other things, on whether the data relating to you are still required by us to perform our statutory duties.

Right to restriction of processing
In accordance with the provisions of Art. 18 GDPR, you have the right to demand a restriction of processing of the data relating to you.

Right to data portability
In accordance with the provisions of Art. 20 GDPR, you have the right to receive the data that you have provided to us in a structured, commonly-used and machine-readable format, or to request the transmission to another controller.

Right to object
In accordance with Art. 21 para. 1 GDPR, you have the right to object to the processing of your data at any time for reasons relating to your particular situation. You can object to receiving advertising at any time with effect for the future, in accordance with Art. 21 para. 2 GDPR (objection to advertising in the case of direct marketing).

Right to appeal
If you are of the opinion that we have not complied with the provisions of data protection regulations when processing your data, you can complain to a data protection supervisory authority about the processing of your personal data, such as to the data protection supervisory authority under whose jurisdiction we fall: 
Bayerisches Landesamt für Datenschutzaufsicht [Bavarian State Office for Data Protection Supervision], Promenade 18, 91522 Ansbach, Germany

Right to withdraw consent
You can withdraw your consent to the processing of your data at any time with future effect. This also applies to declarations of consent that were issued before the GDPR came into force, i.e., before 05/25/2018.

12.    Use of the App

You can book and manage transport services by using the App. We collect, store and process personal data when installing and using the App.

12.1    Provision of the App

For technical reasons, a data exchange between the App and our server system is required in order to be able to provide you with the App for use and to guarantee the stability and security of the App. The following data will be processed for this purpose:
Access data, which consist of:

•    IP address
•    Date and time of request
•    Time zone difference  to Greenwich Mean Time (GMT)
•    Content of the request 
•    Access status/HTTP status code
•    Data volume transferred in each case
•    Website from which the request comes
•    Browser
•    Operating system and its interface
•    Language and version of the App
•    Name of your mobile device
•    Language, region and version of the mobile device
•    Advertising identifier (optional)

We use IT service providers by way of commissioned data processing for hosting the App and for statistical evaluations of the access data.

The legal basis is Art. 6 para. 1(f) GDPR. Our legitimate interest is to be able to make the websites available to you properly.

12.2    Access authorizations

The App requires access to various functions and interfaces of your mobile device. To do this, you must grant the App certain authorizations. The authorization system depends on the specifications of your operating system. For example, individual authorizations can be combined into authorization categories on your mobile device, whereby you can only agree to the authorization category overall. 

Please note that only limited App functions can be used without the authorizations requested by the App.

12.2.1    Access authorizations (all mobile devices)

The App requires an Internet connection in order to exchange data with the server system.
The receipt of background notifications must be activated to keep information about the bookings up-to-date.
If you grant the appropriate access authorization, your location data will be processed in the background (optional) in order to provide you with essential travel information (arrival times, transfer options, etc.) on your mobile device during the trip.

12.2.2    Location data (all mobile devices)

The app will inform you when you are approaching your destination/transfer station. To do this, the app needs to access your device’s location data and this requires your consent. You can do this by granting permission to the app on your device to access the geolocation of your device. You can withdraw your consent at any time in the future by revoking the permission for the app to access the location data of your device in your device settings. 

The legal basis is Art. 6 paragraph 1(a) of the GDPR. Section 25 paragraph 1 of the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz [Telecommunications-Telemedia Data Protection Act]).

12.2.3    Android

If you are using a mobile device with the Android operating system, you can activate access to your calendar to add bookings in your calendar (optional).

12.2.4    Apple iOS

If you are using a mobile device with the Apple iOS operating system, you can activate the receipt of notifications (push notifications) (optional). 

12.3    Contact forms

When using contact forms, the data transmitted in this way are processed (e.g., title, last name and first name, address, company, email address and the time of transmission, subject matter of the enquiry).

Contact form data are processed in order to process enquiries; depending on the basis and the subject matter of your enquiry, this is done either on the legal basis of Art. 6 para. 1(b) GDPR if it concerns a contract-related enquiry, or on the legal basis of Art. 6 para. 1(f) GDPR in other cases; our legitimate interest is to process contact enquiries.

We use customer service providers by way of commissioned data processing to answer enquiries made via our contact forms.

In addition, we store the contact form data as well as the respective IP address in order to comply with our obligations to provide evidence, to ensure compliance with and documentation of legal obligations, in order to be able to clarify any possible misuse of your personal data and to ensure the security of our systems. 

The legal basis is Art. 6 para. 1(c) or (f) GDPR.

12.4    Booking, execution and processing of transport services

When booking tickets for transport services, we collect, store and process the following categories of personal data:

•    Email address
•    Last name und first name(s)
•    Billing address and tax number (optional)
•    Connection data
•    Payment data/payment method
•    Date of birth 
•    Telephone number
•    Consent to the respective terms and conditions 
•    Consent to receive the newsletter (optional)
•    Advance seat reservation information
•    Baggage details
•    Language of your mobile device 
•    Booking channel (web or App)
•    CO2 donation (optional)

You also have the option of providing a contact telephone number in case of delays or changes in the itinerary of your trip (optional).

These data are processed for the booking, providing and processing of transport services, including customer service, as well as for the fulfilment of legal obligations. 

The legal basis is Art. 6 para. 1(b), (c) GDPR.

We also use some of these data for product recommendations (see Clause 12.5), the newsletter (see Clause 12.6) and the customer account (Android) (see Clause 12.7).

When booking tickets for international transport services, the following categories of personal data are also collected depending on the place of departure and arrival:

•    Information on gender
•    Nationality
•    ID card, passport, birth certificate or ID number
•    Information in connection with measures to contain the COVID-19 (coronavirus) pandemic (for more information on this topic, see https://www.flixbus.de/datenschutz-covid-19)

These data are processed for the booking, provision and processing of transport services as well as for the fulfilment of legal obligations under national legislation at the place of departure and arrival. 

We pass on the above-mentioned data to the respective carrier or carriers, as well as to public bodies if there is a corresponding obligation/authorization.

The legal basis is Art. 6 para. 1(b) or (c) GDPR.

The necessary payment data will be transmitted to a payment service provider for the secure processing of the payments initiated by you.

Our payment service providers are:

Payment service providersPayment options
Adyen N.V.
Simon Carmiggeltstraat 6-50, 1011 DJ, Netherlands
Privacy policy:
https://www.adyen.com/policies-and-disclaimer/privacy-policy

Credit card
Swish
Google Pay
Apple Pay
iDeal
Dotpay
Sofort/Klarna
PayU Bilgi Teknolojileri A.S.
Otakcilar Cad. No.: 78, Flat Ofis D-Blok 34050, Eyup - ISTANBUL
Privacy policy:
https://payu.in/privacy-policy
Credit card
Ratepay GmbH, Franklinstraße 28-29, 10587 Berlin, Germany
https://www.ratepay.com/legal-payment-dataprivacy/
Direct debit
PayPal (Europe) S.à r.l. et Cie, S.C.A.
22-24 Boulevard Royal, 2449 Luxembourg
Privacy policy:
https://www.braintreepayments.com/de/legal/braintree-privacy-policy
PayPal
Satispay Europe S.A.
53 Boulevard Royal, 2449 Luxembourg
Privacy policy:
https://www.satispay.com/en-lu/privacy/privacy-policy/
Satispay

The legal basis is Art. 6 para. 1(b) or (f) GDPR.

12.5    Product recommendation

To the extent permitted, we may use the email address received in connection with the booking or transport service to send you regular offers by email for products from our range similar to those already purchased.

We use external customer service providers as processors to send product recommendations.

You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter or have consented to marketing communication by email. We would like to provide you in this way with information about products from our range that you might be interested in, based on your recent purchases with us.

The legal basis is Art. 6 para. 1(f) GDPR; our legitimate interest is to inform you about our product range and to suggest certain products to you. 

You can object to the use of your email address for this purpose at any time by using the unsubscribe link of the product recommendation or by sending a message to unsubscribe@flixbus.com. 

12.6    Newsletter

If you also register for the newsletter via our registration link, we ask you to consent to the processing of your data (email address, first and last name, place of residence) in order to send you our newsletter by email on a regular basis. 

As part of your subscription to the newsletter, we also obtain your consent that we may personalize the content of our newsletter according to your needs and interests.

To register for our newsletter, we use the double opt-in procedure. This means that after you have registered, we will send an email to the email address you provided, asking you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically erased after one month.

The newsletter may concern all goods, services, products, offers and promotions provided by the controller (Clause 1) and/or by companies affiliated with the controller, or by partner companies. 

The legal basis is Art. 6 para. 1(a) GDPR.

In addition, we store the IP addresses you use and the times of registration and confirmation. The purpose of the procedure is to prove that you are registered and, if necessary, to be able to clarify any possible misuse of your personal data. If we process your personal data for this purpose, this is done on the basis of our legitimate interests in ensuring compliance with and documentation of legal requirements. 

The legal basis is Art. 6 para. 1(f) GDPR; our legitimate interest is to be able to prove consent.

You can revoke the use of your email address at any time by using the unsubscribe link of the newsletter or by sending a message to unsubscribe@flixbus.com. The legality of the data processing operations already carried out remains unaffected by the revocation.

We use external IT service providers who act as processors to distribute the newsletter.

12.7    Cookies and similar technologies

The App uses cookies and similar technologies. 

In addition to first-party cookies, which we as the controller set, third-party cookies offered by other providers are also used. 

As part of consent management (consent banner), we give you the opportunity to decide between the use of cookies and the use of similar technologies. 

You can find a detailed overview with comprehensive information on the services used and access to your consent settings, including the option of revocation, in the settings in the App.

12.8 Fraud Prevention

To prevent fraudulent bookings, we process order-related data, e.g. IP-address, Name, E-mail address.

This is lawful under Art. 6 para. 1 (f) GDPR. Our legitimate interest is to prevent being victim to fraud and suffering financial losses.

In individual cases, a decision about cancellation may occur after booking based on automated decision. The logic for this is based on a set of internal algorithms that processes relevant data points and provides us with scores on matches to different fraudulent patterns or compare the data points with thresholds and values typical of fraudulent patterns in order to detect fraudulent bookings. If you wish to contest this decision, express your own point of view or obtain the intervention of a human of the part of the controller, please reach out to data.protection@flixbus.com.

12.9    Customer service

When you contact our customer service, we collect the personal data that you provide to us on your own initiative. For example, you can send this to us by email, telephone or letter. Your personal data will only be used in order to contact you, or for the purpose for which you have provided us with this data, e.g., for processing your enquiries, technical administration or customer administration.

These data (including information on means of communication such as email address, telephone number) are provided on a voluntary basis. We use the data to process your concern, to fulfil legal obligations if necessary, and for administrative purposes.

The legal basis is Art. 6 para. 1(b), (c) or (f) GDPR.

In the case of a telephone enquiry, your data is also processed by telephone applications and in part also via a voice dialogue system in order to support us in the distribution and processing of enquiries. 

For our customer service, we use external customer service providers as processors.

12.10    Presence on social media

We have a presence on social media (currently: Facebook, Instagram, LinkedIn and Twitter). To the extent we have control over the processing of your data, we ensure that the applicable data protection regulations are complied with. 

In addition to us, the following are responsible for the company’s presence within the meaning of the GDPR and other data protection provisions:

Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland)
LinkedIn (LinkedIn Ireland Unlimited Company, Gardner House Wilton Place, Dublin 2, Ireland)

We would like to point out that your data may be processed outside the European Union.

The legal basis for the processing of your personal data by us is Art. 6 para. 1(f) GDPR. Our legitimate interest is effective information and communication.

Further information about rights of privacy in relation to our corporate presence on social media channels can be found here:
Facebook: https://www.facebook.com/notes/flixbus/facebook-fanpage-datenschutzrichtlinie/2107777085936747/
Instagram: https://www.facebook.com/policy.php
LinkedIn: https://www.linkedin.com/legal/privacy-policy

Version date: 24/11/2023