Privacy Notice

I. INTRODUCTION

 

This Privacy Notice (the “Notice”) explains how Distribusion processes personal data.

 

This Notice is issued by Distribusion Technologies GmbH (“Distribusion”, “we”, “us” or “our”) and is addressed to individuals outside our organisation with whom we interact through our website https://www.distribusion.com (the “Website”) or otherwise in the course of our business (such individuals being referred to in this Notice as “you”). 

 

Not all provisions of this Notice will apply to you and your personal data because this will depend on your specific relationship with Distribusion. 

 

When Distribusion provides services such as its API, booking engine and agency tool to its business partners (“B2B Services”), Distribusion is a data processor, processing personal data under the written instructions of those business partners (which for these purposes are the data controllers). This Notice does not inform you about data processing activities where Distribusion acts as data processor. 

 

While providing B2B Services, Distribusion may, for certain processing activities (e.g., payment orchestration), determine the purposes and means of processing your payment transaction data (e.g., credit card details). This Notice informs you about these (as well as all other) data processing activities, where Distribusion acts as data controller.

 

This Notice may be amended or updated from time to time to reflect changes in our practices with respect to the processing of personal data or changes in applicable law. We encourage you to read this Notice carefully and to regularly check this page to review any changes we might make.

 

This Notice was last updated on 1 March 2026.

 

II. INFORMATION ABOUT THE DATA CONTROLLER. CONTACT DETAILS. 

 

The data controller of your personal data is:

​

Distribusion Technologies GmbH

Commercial Registry Number: HRB 176406 B

Registration Court: Local Court (Amtsgericht) Berlin-Charlottenburg

Registered address: Wattstraße 10,13355 Berlin

 

Data Protection Officer (“DPO”): Clandestine GmbH

DPO email: dpo@distribusion.com 

DPO address: c/o Distribusion Technologies GmbH, Wattstraße 10,13355 Berlin

 

III. PERSONAL DATA. PURPOSES AND LEGAL BASES OF PROCESSING.

 

Distribusion receives your personal data when that data is provided to us in the course of our relationship with you or when you visit our Website. 

 

We do not seek to collect or otherwise process special categories of personal data (“sensitive personal data”) in the ordinary course of our business where we act as data controller. Where we need to process sensitive personal data, we do so in accordance with applicable data protection laws.

 

We typically perform the following data processing activities during the course of our ordinary business:

 

1. CONTACT FORM AND CONTACT VIA EMAIL

 

Distribusion may process the following personal data in order to respond to requests submitted through our Website or via email: 

1. your full name;

2. your email address; 

3. any other personal data included in the enquiry or request; and

4. communication metadata.

 

The personal data received will be used for the purposes of processing and responding to those requests, based on our following legitimate interests:

• to clarify, provide additional information and respond to questions about our services and the information available publicly; and

• to improve the quality of our services and facilitate business-to-client communication. 

 

Whenever a request concerns contract-related issues, the data processing will be performed on the basis that it is necessary for the performance of a contract with an existing client or in order to fulfil the request of a potential client prior to entering into a contract with them.

​

2. BUSINESS PARTNERS AND CONTRACTORS

 

Distribusion also processes personal data (full name, business email address, etc.) in relation to the workforce (e.g., employees) of its respective business partners and contractors. 

​

3. PROVISION OF THE WEBSITE AND SERVER LOG FILES

 

We may employ tools and Cookies to administer the Website; to enable your access to the Website; to run analytics to understand your use of our Website, so as to improve its offering or tailor content according to your preferences; and to ensure its stability and security. 

With each visit to the Website, Distribusion automatically collects information that your browser transmits to our server. This information is also being stored in Distribusion’s system’s log files. The following data may be collected:

1. the browser software you use, as well as its version and language;

2. the operating system you use;

3. the subpages of the Website you visit;

4. the date and time of your visit to the Website;

5. transferred data volume;

6. the country (but not the precise location) from which you accessed the Website; and

7. the duration of your visit to the Website.

 

To the extent such processing is not essential for the proper functioning of the Website, we only store personal data on our servers and/or Cookies on your device after having obtained your express consent. You can manage your preferences (e.g., withdraw your consent to our processing of your personal data for these purposes) at any time through our Consent Management Platform. You can find more information about Cookies, and other non-essential processing activities, in our Cookie Policy or via our Consent Management Platform.

 

To the extent that our processing is necessary to deliver the Website and safeguard the Website’s security, we rely on the legitimate interest basis for processing because without that necessary data, we would not be able to provide the Website to you or protect its security. 

​

4. PAYMENT ORCHESTRATION SERVICES WITHIN B2B SERVICES

 

When providing B2B Services, and depending on the particular service contract we have in place with our business partners, Distribusion may orchestrate payment transactions between you (e.g., a prospective passenger) and ground transportation carriers, retailers or agents (our business partners) for the supply by our business partners of ground transportation services to you. As a result, the following personal data may be collected:

1. your full name;

2. your address; and

3. payment data (e.g., IBAN/BIC, credit/debit card number/details) depending on your chosen payment method (“payment data”).

 

Distribusion acts as a data controller when orchestrating payments and shares the above personal data with recipients acting as payment gateway providers; payment service providers; as well as payment acquirers or banks (“Payment Partners”). Distribusion has entered into contracts with all Payment Partners in which those Payment Partners guarantee to protect your personal data by complying with applicable data protection laws. Please note that Distribusion does not retain full credit/debit card data (i.e., the full credit/debit card number) after successful completion of the payment process.

 

Our data processing when providing payment orchestration services is based on our legitimate interest and the legitimate interest of our business partners. We will only process the data necessary to orchestrate your payments in accordance with our B2B Services agreements and insofar as you have actively provided such personal data to process payment for your intended ticket purchase.

​

5. FRAUD PREVENTION MECHANISMS

 

When providing B2B Services, and depending on the particular service contract we have in place with our business partners, Distribusion may offer fraud detection services to our business partners to secure payment transactions with passengers. The following data may be collected:

1. identifying data (your name, contact details or address);

2. payment data; and

3. communication metadata, such as your IP address.

 

Distribusion acts as a data controller when processing personal data to detect and prevent fraud. Such data processing is based on our legitimate interest and the legitimate interest of our business partners and is deemed necessary by us in order to protect our commercial interests.

​

IV. RETENTION PERIODS

 

The personal data we collect under section III 1. are stored and processed by us only for the period required for us to achieve the purpose of the processing; until the receipt of your undisputed objection to our legitimate interests; and / or the period required under applicable legislation, e.g., (for Germany):

• invoices and financial documents: according to §147 (3) of the German Fiscal Code (Abgabenordnung) may be retained for eight years;

• relevant accounting and commercial information: according to §257 of the German Commercial Code (Handelsgesetzbuch) may be retained for eight years;

• other documents: up to five years from the provision of the service / termination of the relationship to exercise or defend against legal claims, in accordance with the statutory limitation period for possible claims under our contract; and

• in the event of a dispute or handling of a complaint: the data may be processed for the period necessary for the establishment, exercise of or defence of the complaint or legal claim.

 

The personal data under section III. 2. are stored and processed by us until the service contract has been executed / the request has been administered, and for an additional period of no more than five years, unless further retention is necessary for the establishment, exercise or defence of legal claims.

 

The personal data under section III 3. are deleted as soon as they are no longer necessary to achieve the purpose of their collection. Where the processing is based on your consent, we delete the data upon the withdrawal of your consent, or in case the processing is based on our legitimate interests, receipt of your undisputed objection to our legitimate interests. In the case of data collected for the provision of the Website, deletion occurs when the session ends or the Cookie lifetime expires. Log files are deleted after 30 days, unless they are necessary for the exercise or defence of legal claims, or for security purposes (e.g., required to be reviewed after security incidents and / or to detect intrusions).

​

The personal data under section III. 4. are deleted as soon as they are no longer necessary to achieve the purpose of their collection. Distribusion may retain pseudonymised payment data to comply with obligations arising from financial and tax law obligations for a period of up to eight years. In any case, Distribusion may retain such personal data for as long as it is necessary to prove proper fulfilment of service towards business partners.

 

The personal data under section III. 5. are deleted as soon as they are no longer necessary to achieve the purpose of their collection.

In any of the above cases, Distribusion may anonymise (irreversible re-identification) personal data instead of deleting it (e.g., by aggregation and merging it with other aggregated data) and may process such anonymised data for any legitimate business purpose. Please note that properly anonymised data is not subject to applicable data protection legislation.

​

V. SHARING AND DISCLOSURE OF PERSONAL DATA. TRANSFERRING OF DATA OUTSIDE OF THE EEA/EU.

​

We may disclose personal data to other entities within the Distribusion group based on our legitimate interests.  Whenever we transfer personal data to Distribusion group entities, we rely on the data processing agreement entered into between all Distribusion group entities, and which also incorporates the standard contractual clauses issued by the EU-Commission, to safeguard data transfers to recipients in third countries that may have different laws and data protection compliance standards.

 

Additionally, we may also use third-parties to support certain activities in the course of our business. Personal data are disclosed to third-parties only with sufficient guarantees to ensure an adequate level of protection and the existence of a legal basis for this. Where this is legal and necessary, personal data may be disclosed by us to third-party recipients falling under the following categories of recipients:

• central and local regulatory authorities that have the power to receive / request information;

• crime prevention and detection authorities and regulatory authorities that have the power to request information;

• judicial authorities in the manner and conditions provided for by national law;

• Payment Partners, in connection with the administration of payments;

• lawyers, professional consultants, accounting service providers and auditors; and

• service providers for the purposes of providing and maintaining software products for the implementation of certain internal processes, storage, exchange and tracking of information. 

 

If we do engage a third-party service provider to process your personal data on our behalf, that “Processor” will be subject to binding contractual obligations to: (i) only process your personal data in accordance with our instructions; and (ii) use measures to protect the confidentiality and security of your personal data, together with any additional requirements under applicable data protection law, including those referred to below with respect to international transfers.

 

In connection with some of the above processes and services, some of your personal data may be transferred internationally: i.e., outside of the European Economic Area (“EEA”) if you are located within the EEA, or otherwise outside of the country in which you are located, when you access our Website or other services. The transfer of such personal data takes place only with appropriate safeguards to ensure an adequate level of protection and compliance with all provisions of the applicable legislation regarding the transfer. For example, in the case of personal data relating to data subjects based within the EEA: (i) an official decision made by the European Commission that a third country, a territory or one or more specified sectors within that third country or the international organisation ensures an adequate level of data protection; or (ii) by implementing standard contractual clauses approved by the European Commission to provide such safeguards.

​

For more information about data sharing and data transfer taking place, please contact Distribusion’s DPO.

​

VI. DATA SUBJECTS’ RIGHTS

​

At any time while we process your personal data, some or all of the following rights may apply to you, depending on, e.g., our legal basis of processing:

​

1. Right to information

 

You have the right to be informed about the collection and use of your personal data to which this Notice relates.

​

2.  Right of access

 

At your request, we shall provide access to or copies of the personal data concerning you which are being processed by us or by Processors according to our instructions. Information shall be provided free of charge, provided that your request is not manifestly unfounded or excessive. Otherwise, a fee may be charged.

​

3. Right to rectification

 

You have the right to request the updating (rectification) of incomplete, inaccurate, inappropriate or obsolete data about you. 

​

4. Right to erasure

 

Personal data must be erased if: (a) they have been processed unlawfully; (b) they are no longer necessary in relation to the purposes for which they were processed; (c) you withdraw your consent when the processing was based on such and there is no other legal ground for the processing; (d) on grounds relating to your particular situation, you object to the processing of your data which is performed on the basis of our legitimate interest, and there are no overriding legitimate grounds for the processing; (e) the period of data retention prescribed by the applicable legislation has expired; or (f) the erasure of personal data has been instructed by court or by the competent supervisory authority. 

 

We may be allowed to retain the data, even in the cases listed above, if the processing is necessary to ensure compliance with a statutory obligation or for the establishment, exercise or defence of legal claims.

​

5. Right to restriction

 

Instead of erasing personal data, we may restrict their processing at your request or, when the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy.

In cases of such restriction, the personal data may only be processed only for as long as the reason that prevented their erasure continues to exist.

​

6. Right to object

 

You may have the right to object to the processing of your personal data where such processing is performed on the basis of our legitimate interest or the processing is taking place for direct marketing purposes. In the latter case, we shall suspend such processing immediately upon receiving your objection, without undue delay.

​

7. Right to object to automatic decision-making, including profiling

 

You may have the right to object to decision-making, where that decision-making is based solely on automated processing, including profiling, which produces legal effects concerning you. If we start performing such decision-making, we will notify you.

​

8. Right to data portability

 

You may have the right to request us to provide you with the personal data held about you in a structured, commonly used and machine-readable format.

​

9. Right to withdraw consent for processing

 

When we process personal data on the basis of your consent, you have the right to withdraw your consent at any time and without paying any fees, bearing in mind that such withdrawal will not affect in any way the lawfulness of the processing performed based on your consent before the withdrawal.

​

10. Remedies in case of violations of data subject rights

 

If you consider that your privacy or data protection rights have been violated, you may:

1. lodge a formal complaint with the supervisory authority where you are located or the supervisory authority which oversees our data protection compliance, which in the case of Distribusion Technologies GmbH is the Berlin Commissionary for Data Protection and Information Security (Berliner Beauftragte für Datenschutz und Informationssicherheit - “BBDI”). The contact details of the BBDI are, as follows:

   • Name: Berliner Beauftragte für Datenschutz und Informationssicherheit 

   • Address: Alt-Moabit 59-61, 10555 Berlin 

   • Е-mail: mailbox@datenschutz-berlin.de 

   • Website: https://www.datenschutz-berlin.de/ 

   • Phone No.: +49 30 13889-0

2. take legal action before a court to appeal the actions/decisions of the BBDI (after having previously lodged a complaint with the BBDI); or

3. bring a legal action in court against us and claim compensation for any damages incurred as a result of the processing of your personal data carried out by us.

​

VII. DATA SUBJECT REQUESTS

​

In order to exercise any of your rights or obtain more information about the protection of your personal data, you may contact us or our DPO by email. We may ask you to provide additional information needed to verify your identity. 

We respond to any requests related to your rights as soon as possible in the form in which your request was made, but in any case, no later than within 30 days. If we are unable to fulfil your request, we shall state to you the factual and legal reasons for its rejection. If your request is rejected, in that rejection, we shall notify you of the possibilities of seeking a legal remedy before the competent supervisory authority or a court.

 

VIII. CONCLUDING PROVISIONS

 

If you have any questions regarding the protection of personal data, you can contact us or our DPO at our contact details provided above.