Privacy Policy

This privacy policy explains the nature, scope, and purpose of the processing of personal data that we, PAYUCA GmbH (“PAYUCA”), process when you visit our website and use our online applications, mobile platforms, and app – provided that these refer to this privacy policy. It also provides information on how the collection of personal data can be prevented, if applicable.

The protection of your data is particularly important to us. We treat personal data with the utmost care and process it exclusively in accordance with the applicable data protection regulations. The aim is to enable the use of our website and to continuously improve our online range of services.

The current version of this privacy policy is available at any time here. When using additional online services from PAYUCA, the current version of the general terms and conditions for the respective product also apply.

We process personal data (“data”) in two ways:

Data that you voluntarily and actively provide to us, for example by filling out the contact form on our website or when creating a PAYUCA account in our app.

Data that is automatically transmitted by your browser or device when you use our services – for example, through the use of cookies or similar technologies.

When you visit our website, data (server log files) is automatically collected. This primarily includes:

• The IP address of the device you use to connect to the web server,
• Date and time of the website visit,
• Type, version, and settings of the web browser,
• Information about your operating system and service provider,
• Requested pages and files,
• Referrer URL (page used before visiting our website, from which you were connected to our website).

The processing of this data is necessary to ensure the functionality, stability, and security of our website. This data may also be processed in the context of forensic investigations in the event of a security incident or for the creation of (anonymous) user statistics.

Legal basis: Processing is carried out on the basis of Art. 6 (1) lit. f GDPR and serves our legitimate interest in maintaining the functionality, stability, and security of our website.

Storage period: When you visit our website via our hosting service providers, server log files are stored for up to 24 hours by default. Our systems are configured in such a way that no log data relating to access (e.g., IP address, time stamp, requested resources) is stored permanently. Short-term access to so-called live logs is only possible for technical error analysis and is exclusively temporary and without storage.

We use so-called cookies on our website. These are text files that are stored on your device and enable us to analyze the use of the website – for example, to facilitate operation and optimize user-friendliness. You can restrict or prevent the storage of cookies by adjusting your browser software settings accordingly. In this case, however, we cannot guarantee that all functions of the website will be available without restriction. If you wish to deactivate cookies, you will find information on how to prevent cookies from being set, how to be notified of new cookies, or how to block cookies completely in the help menu of most browsers. A distinction is made between essential (technically necessary) and optional cookies:

Essential cookies are responsible for the proper functionality of our website. Without essential cookies, this would not be guaranteed or would only be guaranteed to a limited extent. The use of essential cookies does not require consent.

Legal basis: Processing is carried out on the basis of Art. 6 (1) lit. f GDPR and serves our legitimate interest in maintaining the functionality, stability, and security of our website.

The essential cookies used are:

Optional cookies are used to optimize the website, the user experience, and to analyze user behavior or personalize marketing activities. These cookies include statistics and marketing cookies, among others. Optional cookies may only be set with the consent of the data subject via the cookie banner. Consent can be withdrawn at any time (for all or individual cookies). Withdrawal is possible at any time via the cookie banner and via the browser settings (see below for details). Withdrawal of consent does not affect the lawfulness of processing based on consent before revocation. Rejecting or deleting cookies that require consent may lead to functional restrictions on the website.

Legal basis: Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG.

The optional cookies used are:

By clicking “Accept all (including transfer to the US)” in the cookie banner, you consent to the use of the above-mentioned optional cookies on our website.

Most browsers automatically accept cookies. However, you can change your browser settings to delete cookies or prevent their automatic use. In general, you have the option to see which cookies have been set and delete them individually, block third-party cookies or cookies from specific websites, accept all cookies, be notified when a cookie is used, or reject all cookies. Select “Options” or “Settings” in your browser to change your preferences and use the following links for more browser-specific information:

• cookie settings in Microsoft Edge
• cookie settings in Firefox
• cookie settings in Chrome
• cookie settings in Safari

If you reject or disable all cookies, any preferences you have set will be lost and individual subpages of our website may not be displayed properly. For these reasons, we recommend that you do not disable cookies when using our website.

The following is a list of service providers that set optional cookies after you have given your consent during your visit to our website:

This website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). For users in the European Economic Area (EEA) and Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for the processing of personal data.

Google Analytics uses cookies, which are text files placed on your computer to help the website analyze how users use the site. The information generated by the cookie about your use of this website (including your IP address) is transmitted to a Google server in the USA and stored there. Google uses this information to evaluate your use of the website, to compile reports on website activity for us, and to provide other services related to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser software or by deactivating cookies in the cookie banner. However, please note that if you do this, you may not be able to use the full functionality of this website.

Further information about the privacy policy of Google Analytics can be found here and about the terms of use of Google Analytics here.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) lit. a GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here. The company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in section 5 of this privacy policy.

If Google AdSense, a web advertising service provided by Google, places advertisements (text ads, banners, etc.) on this website, your browser may store a cookie set by Google or third parties. The information stored in this cookie may be collected, gathered, and evaluated by Google or third parties. In addition, Google AdSense also uses so-called “web beacons” to gather information. With the help of this technology, simple actions – such as visitor traffic on the website – can be recorded, collected, and evaluated. The information generated by the cookie and/or web beacon about your use of this website is transmitted to a Google server in the USA and stored there. Google uses this information to evaluate your usage behavior with regard to AdSense ads. This data may be passed on to third parties if this is required by law or if third parties process this data on behalf of Google. Your IP address will not be merged with other data stored by Google.

You can prevent cookies from being stored on your hard drive and web beacons from being displayed by selecting “do not accept cookies” in your browser settings (e.g., in Internet Explorer under “Tools / Internet Options / Privacy / Settings,” in Firefox under “Tools / Settings / Privacy / Cookies”) or by making the appropriate settings in the cookie banner. For more information on data protection and the cookies used by Google, please refer to Google's privacy policy.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) lit. a GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy. The company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in section 5 of this privacy policy.

We use Google Remarketing technology, a service provided by Google, on our website. This feature allows us to target you as a website visitor with advertising by displaying personalized, interest-based ads when you visit other websites in the Google or DoubleClick Display Network. Google uses cookies that are stored on your computer to evaluate your website usage, demographic characteristics, and interests. Cookies are also used to analyze your website usage, which is a prerequisite for the use of interest-based advertisements. The information generated by the cookie is transmitted to a Google server, stored there, and can be evaluated by us in the context of statistics and used to create interest-based advertisements. Google may transfer this information to third parties if required by law or if third parties process this data on behalf of Google. Your IP address will not be associated with other data stored by Google.

You can object to the collection and storage of data at any time with future effect. You can deactivate the use of cookies by Google here. Alternatively, you can deactivate the use of cookies by third-party providers here. For more information on data protection and the cookies used by Google, please refer to Google's privacy policy.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy. The company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in section 5 of this privacy policy.

We use social plugins (“plugins”) from the social networks Facebook, Instagram, and LinkedIn on our website. These services are operated by the following providers:

Facebook and Instagram are operated by Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. For users in the European Economic Area (EEA) and Switzerland, Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, is responsible for the processing of personal data.

• An overview of Facebook plugins can be found here.
• An overview of Instagram badges can be found here.

LinkedIn is operated by LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA. For users in the EEA and Switzerland, LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible for data processing. An overview of LinkedIn plugins can be found here.

When you visit a page on our website that contains such a plugin, your browser establishes a direct connection to the servers of the respective provider (Facebook, Instagram, or LinkedIn). The content of the plugin is transmitted directly from the respective provider to your browser and integrated into the page. Through this integration, the providers receive the information that your browser has accessed the corresponding page of our website – even if you do not have a profile with the respective provider or are not currently logged in there. This information (including your IP address) is transmitted directly from your browser to a server of the respective provider in the USA and stored there. If you are logged in to one of the services at the time you visit the page, the providers can immediately assign your visit to our website to your respective profile. If you interact with one of the plugins – e.g., by clicking the “Like” or “Share” button – the corresponding information is also transmitted directly to a server of the provider and stored there.

For the purpose and scope of data collection, as well as the further processing and use of your data by the respective providers, and your rights and settings options for protecting your privacy, please refer to the privacy policies of the respective services:

• Meta Privacy Policy
• LinkedIn Privacy Policy

Legal basis: The use of social plugins is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy. All of the providers mentioned are certified under the EU-U.S. Data Privacy Framework (DPF). For more information on the DPF, please refer to section 5 of this privacy policy.

Components from YouTube are integrated into our website. YouTube is an internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate, and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and television programs, as well as music videos, trailers, or videos created by users themselves, are available via the internet portal. YouTube is a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For users in the European Economic Area (EEA) and Switzerland, however, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is the data controller within the meaning of the GDPR. When using YouTube, personal data may be transferred to Google LLC in the USA.

When you visit a page on our website that has a YouTube video embedded in it, your browser automatically loads the corresponding YouTube component. This establishes a connection to YouTube's servers in order to display the video. As part of this technical process, YouTube and Google become aware of which specific subpage of our website is visited by the data subject. If the data subject is logged into YouTube at the same time, YouTube recognizes which specific subpage of our website the data subject is visiting when they call up a subpage that contains a YouTube video. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject. YouTube and Google receive information via the YouTube component that the data subject has visited our website whenever the data subject is logged into YouTube at the same time as visiting our website; this occurs regardless of whether the data subject clicks on a YouTube video or not. You can prevent this information from being transmitted to YouTube and Google by logging out of your YouTube account before visiting our website.

The privacy policy published by YouTube provides information about the collection, processing, and use of personal data by YouTube and Google.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy. The company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in section 5 of this privacy policy.

We use Facebook's “Custom Audience” technology on our website, a service provided by Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA. For users in the European Economic Area (EEA) and Switzerland, Meta Platforms Ireland Limited Merrion Road Dublin 4, D04 X2K5, Ireland is the controller responsible for processing your personal data. Data collected through the integration of cookies, web beacons, or similar third-party technologies enables us to measure and design our advertising activities on Facebook more effectively, e.g., by displaying posts or advertisements specifically to visitors to our website. We only use proven and widely used technologies such as cookies, web beacons, and similar third-party technologies to collect this data. We do not transfer lists of personal data to Facebook or upload them. The data collected is transmitted to Facebook in encrypted form only, and we cannot view the personal data of individual users. We use these web analytics services to continuously improve our features and services. Only non-personal data is used for analysis and reporting purposes, which we do not combine with other personal data.

For more information, please refer to Meta's privacy policy. If you do not want data to be collected via “Custom Audience,” you can deactivate “Custom Audience” here.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy.

We use the Hotjar service on our website, provided by Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe. Hotjar is a tool for analyzing user behavior on this website. Among other things, it enables the recording of mouse movements, scrolling behavior, and clicks. Hotjar can also detect how long the mouse pointer remains on certain areas of the page. Hotjar uses this information to create so-called heat maps, which show which areas of the website are used particularly intensively. In addition, we can analyze how long users stay on individual pages, when they leave them, or at which point they cancel form entries (so-called conversion funnels). Hotjar also enables us to obtain direct feedback from visitors. These functions serve to optimize the website. For analysis purposes, Hotjar uses technologies that enable user recognition, e.g., cookies or device fingerprinting.

If you do not want Hotjar to collect data, you can deactivate this via our cookie banner or here. Please note that deactivation must be carried out separately for each browser and each device. Further information about Hotjar and the data processed by the service can be found in Hotjar's privacy policy.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy.

On our website, we use a content delivery network (CDN) provided by Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (“Cloudflare”). A CDN is used to deliver large media files such as images, scripts, or other content more quickly via a network of regionally distributed servers, thereby optimizing the loading speed of our website.

We have concluded a data processing agreement (Data Processing Addendum) with Cloudflare, which can be viewed here. For the transfer of personal data to the USA, Cloudflare relies on the standard contractual clauses of the EU Commission to ensure an adequate level of data protection. Further information can be found in Cloudflare's privacy policy.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found in section 3.2(b) of this privacy policy. The company is certified under the EU-U.S. Data Privacy Framework (DPF). For more information on the DPF, please refer to section 5 of this privacy policy.

Our website incorporates videos from the provider Vimeo LLC, 555 West 18th Street, New York, NY 10011, USA. A plugin allows us to display multimedia content directly on our website. This may involve data being transferred to the USA.

When you visit a page with an embedded Vimeo video, a connection to Vimeo's servers is established. Data such as your IP address, browser information, operating system, device information, and information about your visit to our website (e.g., session duration, bounce rate, click behavior) is processed. This data may be collected using cookies or similar technologies, regardless of whether you have a Vimeo account or are logged in. If you are logged in to Vimeo, your behavior on our website can be directly associated with your profile. To avoid this, please log out of your Vimeo account before visiting our website. If you do not want Vimeo to set cookies and collect data, you can control this in your browser settings or via our cookie banner. Please note that after deactivation, not all functions of the website may be fully usable.

Information on Vimeo’s standard contractual clauses and data protection can be found here. Information about the cookies used can be found here.

Legal basis: The use of this service is based on our legitimate interest in an appealing and technically flawless presentation of our online presence in accordance with Art. 6 (1) lit. f GDPR and on the basis of § 165 (3) TKG, as the cookies required for the provision of the embedded video (“player” and “vuid”) are technically necessary and we are currently unable to obtain consent for their use via the cookie banner. The company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in section 5 of this privacy policy.

We use so-called landing pages for certain content on our website. A landing page is a specially designed subpage that is created specifically for a particular marketing campaign or a specific offer. It can usually be accessed directly via a link from an advertisement, newsletter, or social media campaign. Unlike our regular website, a landing page is designed to draw your attention to a specific topic – such as a product, service, or promotion – and provide you with all the relevant information in a compact form. To create and provide these landing pages, we use the Instapage service, which is operated by airSlate, Inc., 1209 N Orange St, Wilmington, DE 19801 (“Instapage”). When you visit such pages, cookies and similar technologies are used to collect information about your usage behavior, but only with your prior consent. This includes, in particular, data about the current session and recognition during subsequent visits. The data collected includes IP address, browser and device information, length of stay, click behavior, and the origin of the visit. This information helps us measure the effectiveness of our campaigns and improve the user experience on our landing pages.

For detailed information on the processing of personal data by Instapage, please refer to Instapage's privacy policy. Information on Instapage's GDPR compliance can be found here. You can view airSlate's privacy policy here. If you wish to disable data collection by Instapage, you can do so via our cookie banner. Please note that deactivation must be done separately for each browser or device.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy.

We use the web analytics service Microsoft Clarity, provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Clarity”), on our landing pages. Clarity enables us to analyze usage behavior on our website – in particular through session recordings, heat maps, and aggregated usage statistics. This gives us insights into how visitors interact with our website, which areas are used most frequently, and where obstacles to use may arise. This helps us to improve the user-friendliness and functionality of our website. Microsoft Clarity collects information such as mouse movements, clicks, scrolling behavior, technical device information, and pages visited. Personal data, such as text entries in form fields, is automatically masked in accordance with Microsoft's default settings and is not stored or transmitted.

For more information about data processing by Microsoft Clarity, please refer to Microsoft's privacy policy and Microsoft Clarity documentation. If you wish to disable data collection by Clarity, you can do so via our cookie banner. Please note that deactivation must be carried out separately for each browser or device.

Legal basis: The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 165 (3) TKG. Further information on consent can be found under optional cookies in section 3 of this privacy policy. The company is certified under the EU-U.S. Data Privacy Framework (DPF). For more information on the DPF, please refer to section 5 of this privacy policy.

We use the Microsoft Advertising service (formerly Bing Ads) on our landing pages, provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

Microsoft Advertising enables us to analyze the behavior of users on our website after clicking on an ad delivered by Microsoft using Universal Event Tracking (UET). This involves placing a cookie on the user's device, which collects pseudonymized data such as session duration, pages viewed, or interactions. This information helps us measure the success of our advertising campaigns, better target audiences, and deliver personalized advertising on Microsoft platforms (e.g., Bing, Outlook, MSN) and partner sites.

For more information about data processing by Microsoft Advertising, please refer to Microsoft's privacy policy. If you wish to disable data collection by Microsoft Advertising, you can do so via our cookie banner. Please note that this must be done separately for each browser or device.

Legal basis: Data processing is based on your consent in accordance with Art. 6 (1) (a) GDPR. Further information on consent can be found under optional cookies in section 3 of this privacy policy. The company is certified under the EU-U.S. Data Privacy Framework (DPF). For more information on the DPF, please refer to section 5 of this privacy policy.

We use Sourcebuster JS, an open-source analysis tool that is integrated locally, on our landing pages. Sourcebuster JS is used to collect information about the origin of website visits (e.g., direct access, organic search, paid campaign, referrer links) in order to better assess the performance of our marketing measures.

Sourcebuster uses cookies to recognize returning visitors and their original access source. In particular, data for identifying the source, campaign, medium, and time of the first and last visit may be stored. The data processed in this process does not contain any directly personal information, but rather pseudonymous tracking IDs and referrer data. It is not combined with other data.

If you wish to deactivate data collection by Sourcebuster, you can do so via our cookie banner. Please note that deactivation must be carried out separately for each browser or device. Further information on Sourcebuster JS can be found here.

Legal basis: Data processing is carried out exclusively on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. Further information on consent can be found under optional cookies in section 3 of this privacy policy. As Sourcebuster is hosted locally, no data is transferred to third parties or third countries. The company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in section 5 of this privacy policy.

If you choose to contact us via the contact form provided on our website, e.g., for the purpose of arranging an initial consultation, the personal data you voluntarily provide to us – namely your name, email address, telephone number, company name, and any comments – will be processed in order to contact you and respond to your inquiries.

Legal basis: Data processing is carried out for the performance of (pre-)contractual obligations pursuant to Article 6(1)(b) GDPR.

Storage period: The data will be stored for documentation purposes for 12 (twelve) months after the inquiry has been completed.

On our website, you have the option to subscribe to our newsletter. When you register, we store – if provided by you – your first and last name, title, email address, IP address, as well as the date and time of registration. No further data is collected. The collected data is used exclusively for sending our newsletter. No data is passed on to third parties.

You may unsubscribe from the newsletter at any time using the unsubscribe link included in each newsletter or by sending us an email. The withdrawal of your consent does not affect the lawfulness of processing carried out prior to the withdrawal.

For the purpose of sending the newsletter, we use the service “Brevo,” operated by Brevo GmbH, Köpenicker Straße 126, 10179 Berlin. Further information on data protection at Brevo can be found in Brevo’s Privacy Policy.

Legal basis: Processing of your data is based on your consent pursuant to Article 6(1)(a) GDPR and Section 174 of the Telecommunications Act (TKG). Further information regarding consent can be found under Section 5 of this Privacy Policy.

Storage period: Your data will be stored until you unsubscribe from the newsletter. In that case, the cancellation will be automatically recorded, and you will no longer receive newsletters. The aforementioned data will be deleted within 14 (fourteen) days at the latest. Your consent to receive the newsletter, including your email address as well as the date and time of registration, will be retained for evidentiary purposes for up to 3 (three) years after unsubscribing and then deleted.

When operating the PAYUCA app, we store usage data each time the app is accessed. This usage data is stored in server log files. These data are required to ensure the smooth operation of the app. In addition, the data are analyzed to ensure and, if necessary, improve data security and data protection. In the event of a cyberattack, this information may be made available to law enforcement authorities.

The following data are processed:

• Unique Identifier (UUID),
• IP address,
• Date and time of access,
• Operating system and device type used by the accessing system.

Legal basis: Processing of your data is based on Article 6(1)(f) GDPR and serves our legitimate interest in ensuring the functionality and security of the PAYUCA app.

Storage period: Your data will be stored for a period of up to 90 (ninety) days and then deleted.

In order to use the services offered in our app (parking at selected rates), it is necessary to create a PAYUCA account. When you create a PAYUCA account, the personal data you provide:

• First and last name and, where applicable, company name;
• Mobile phone number;
• Email address

are processed. In this context, a user ID will be generated for you, and the registration date will be stored.

If you conclude a rental agreement via the PAYUCA app, we additionally collect the following data in addition to the information mentioned above:

• Official license plate number of the vehicle with which you wish to use a PAYUCA location;
• Data relating to your location;
• Transaction data: data on costs and amounts for parking processes, “PAYUCA Credits” account balance, data relating to the parking space (in particular the designation and address of the garage), start and end time of the parking session, and any discounts resulting from promotions.

If you order an NFC tag via the PAYUCA app, we additionally collect the following data in addition to the information already mentioned:

• Delivery address (street, building/staircase/door number, postal code, city, country).

Furthermore, within your PAYUCA account, you can:

• under the filter "Parkings", view the parking sessions you have completed. For each parking session, you can view the PAYUCA location selected, the vehicle license plate used, the start and end times, as well as the PAYUCA Credits charged.
• under the filter "Reservations", view the reservations you have made. For each reservation, you can view the PAYUCA location selected, the vehicle license plate used, the start and end times, as well as the PAYUCA Credits charged.
• under the filter "Orders", view an overview of the orders you have placed (e.g., PAYUCA NFC tags). For each order, you can view the order date, the delivery address selected, and the PAYUCA Credits charged.

Legal basis: The processing of your data is based on Article 6(1)(b) GDPR, as it is necessary for the performance of a contract or for the implementation of pre-contractual measures. Without this data, we cannot conclude a rental agreement or enable a parking process.

Storage period: The data will generally be deleted when you delete or deactivate your PAYUCA account, unless statutory retention obligations prevent deletion or we need the data in individual cases for the purpose of asserting legal claims. PAYUCA accounts that have no PAYUCA Credits at the time of intended deletion will be deleted after 12 (twelve) months of inactivity. Inactivity means that during this period you have not made any reservation or parking transaction, nor purchased PAYUCA Credits, nor received PAYUCA Credits credited to your account through a voucher code or any other promotion. Before deletion, you will be notified by email and will have 30 (thirty) days from that point to object to the deletion. If a new transaction as defined in this provision occurs within this period, the PAYUCA account will be considered active again.

Our app uses services provided by the Google Firebase platform, which offers a variety of functions, particularly for analyzing and optimizing app functionalities. An overview of the available services can be found here.

Firebase is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For users in the European Economic Area (EEA) and Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for the processing of personal data.

Some of these services process personal data. Typically, these are so-called "Instance IDs" that are assigned a timestamp. These IDs are technically unique and enable the attribution of individual usage events within the app. However, for us, these data do not constitute personal information within the meaning of the GDPR. Identification of individual users does not occur and is not intended.

Processing is carried out exclusively in aggregated form for the purpose of technical analysis and optimization of our app, in particular for evaluating error messages and crash reports.

For Firebase Analytics, Google uses, in addition to the “Instance ID” described above, the advertising ID of the end device. You can restrict the use of the advertising ID in your device settings.

For Android: Settings > Google > Ads > Reset Advertising ID

For iOS: Settings > Privacy > Advertising > Limit Ad Tracking

Legal basis: The use of this service is based on your consent pursuant to Article 6(1)(a) GDPR and Section 165(3) of the Telecommunications Act (TKG). The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. The company is certified under the Data Privacy Framework (DPF). Further information on the DPF can be found in Section 5 of this Privacy Policy.

Storage period: The data collected for this purpose will be stored for 90 (ninety) days.

We use Amplitude, an analytics service provided by Amplitude Inc., 631 Howard St, 5th Floor, San Francisco, CA 94105, USA, to analyze user behavior. For this purpose, anonymized information about your usage is transmitted to an Amplitude server. No data are transferred that would allow conclusions to be drawn about an individual user. Further information on Amplitude and data protection can be found here.

Legal basis: The use of this service is based on your consent pursuant to Article 6(1)(a) GDPR and Section 165(3) TKG.In cases where data are transferred to Amplitude servers, please note that the company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in Section 5 of this Privacy Policy.

Storage period: The data collected for this purpose will be stored for 1 (one) year.

To improve user navigation, we use the service Branch.io, provided by Branch Metrics, Inc., 2443 Ash Street, Palo Alto, CA 94306, USA. This service is an open-source solution that enables the generation of targeted smart links to in-app content via Software Development Kits (SDKs) for web, iOS, and Android operating systems. It also allows users to share content through social media platforms connected to the service.

In the course of providing the service and its functionalities, Branch Metrics collects data. For details regarding the purpose and scope of data collection and processing by Branch Metrics, as well as your related rights, please refer to the Branch Metrics privacy policy available here.

Legal basis: The use of this service is based on your consent pursuant to Article 6(1)(a) GDPR and Section 165(3) TKG. In cases where data are transferred to servers of Branch Metrics, Inc., please note that the company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in Section 5 of this Privacy Policy.

Storage period: The data collected for this purpose will be stored for 6 (six) months.

When you place an order with us, we transmit your personal data to the payment service provider commissioned by us for the purpose of processing the payment. Only the data necessary for the execution of the payment process are transferred.

Legal basis: Processing is carried out for the performance of (pre-)contractual obligations pursuant to Article 6(1)(b) GDPR. In addition, we rely on our legitimate interest in ensuring the efficient handling of contractual transactions within our app pursuant to Article 6(1)(f) GDPR.

We use Adyen N.V., Simon Carmiggeltstraat 6–50, 1011 DJ Amsterdam, Netherlands (“Adyen”) as our payment service provider. During the ordering process, we transmit to Adyen the information you have provided as well as order data such as your name, address, IBAN, BIC, invoice amount, currency, and transaction number. The data transfer is made solely for the purpose of processing the payment and only to the extent required for this purpose.

When selecting the payment method “Klarna Sofort”, payment processing is carried out via Klarna AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (“Klarna”). For the purpose of executing the payment, the information you provide – name, address, IBAN, BIC, invoice amount, currency, and transaction number – will be transmitted to Klarna.

Your personal data will be processed in accordance with applicable data protection regulations and the respective Klarna privacy policy applicable to data subjects residing in Austria or Klarna privacy policy applicable to data subjects residing in Germany.

For payments via PayPal (credit card, direct debit, or – if offered – purchase on account or installment payment), we transmit your payment data to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (“PayPal”) as part of the payment process.

Further information on data protection, including details about credit reference agencies used, can be found in PayPal’s Privacy Policy.

For the purposes outlined above, we may disclose personal data to the following recipients:

These are service providers who provide hosting, maintenance, and security services for our website or app.

The hosting of the database and web content of our website and app is carried out via Amazon Web Services ("AWS"), operated by Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA.

Data are stored exclusively in European data centers certified under ISO 27001, 27017, and 2018 as well as PCI DSS Level 1. Further information on AWS and data protection can be found here and in the Amazon Privacy Notice.

The hosting of the web application app.payuca.com is provided by Heroku, a cloud platform service of Salesforce, Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA (“Salesforce”). Salesforce ensures the protection of personal data through the use of EU Standard Contractual Clauses, which can be viewed here. Further information on data protection at Salesforce can be found here and in Salesforce’s Privacy Policy.

The company is certified under the EU-U.S. Data Privacy Framework (DPF). Further information on the DPF can be found in section 5 of this Privacy Policy.

The hosting of our landing pages is provided by Instapage. The name and registered office of the company are listed under the corresponding processing activity in section 3.

The request form for charging processes is provided via a service of Zoho Corporation B.V., Beneluxlaan 4B, 3527 HT Utrecht, Netherlands. Data processing takes place primarily within the EU.

Should data be transferred to Zoho Inc., Zoho applies the European Commission’s Standard Contractual Clauses pursuant to Article 46 GDPR to ensure adequate data protection. Further information can be found here.

These include Google, Meta, Hotjar, etc., which provide the services mentioned in point 3; the respective name and registered office of the company can be found in the corresponding processing activity in point 3 of this privacy policy.

These include Klarna, PayPal, etc. The respective name and registered office of the company can be found in section 4 of this privacy policy.

Where data disclosure is required by law or necessary for the establishment, exercise, or defense of legal claims, we may disclose your data to competent authorities and courts as well as to third parties advising us in this context (e.g., attorneys, auditors, forensic experts).

As a general rule, countries outside the European Economic Area (EEA) are considered to have a level of data protection that is not equivalent to that under the GDPR. This applies in particular to the United States, unless the relevant service provider or recipient has been certified under the EU-U.S. Data Privacy Framework (DPF). In such cases, there is a risk that local authorities or courts may access your data and that you may not have adequate legal remedies available. The DPF is an agreement between the European Union and the United States that ensures compliance with European data protection standards for data processing in the U.S. Each company certified under the DPF commits to upholding these standards. Further information can be found here.

In accordance with Chapter V of the GDPR, we generally implement appropriate safeguards for the transfer of personal data to third countries. These include, where applicable (and where DPF certification does not exist), the conclusion of the European Commission’s Standard Contractual Clauses for the transfer of personal data (Article 46(2)(c) GDPR) and, where required, the collection of your explicit consent (Article 49(1)(a) GDPR). Further details about the safeguards in place and copies of the respective agreements are available upon request at datenschutz@payuca.com.

However, since all recipients are either located in the EU or are recipients who are already certified according to DPF or who use the standard contractual clauses published by the EU Commission for the transfer of personal data (Art. 46 (2) (c) GDPR), the level of data protection is considered comparable to that of the GDPR and therefore there is no risk.

Your data will generally be stored for as long as necessary to fulfill the respective processing purpose (e.g., contact form, newsletter, or PAYUCA account). In any case, we process your data for the duration of the contractual or service relationship (see the specific retention periods for each processing activity above). Furthermore, data may be retained until the expiration of applicable statutory retention periods (e.g., 7 (seven) years from the end of the calendar year pursuant to Section 132(1) Austrian Federal Fiscal Code [BAO] or Sections 190, 212 Austrian Commercial Code [UGB]) or as long as other legitimate interests justify retention (e.g., retention of data as evidence in connection with the establishment, exercise, or defense of legal claims in pending or anticipated legal proceedings).

The storage period for server log data and cookies on the website can be found in section 3, and for the app in section 4 of this privacy policy. The specific periods for storing data relating to the contact form, newsletter, and PAYUCA account can be found in section 3, and for the app in section 4 of this privacy policy.

In accordance with the statutory provisions, you have the right:

• pursuant to Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of your data, if it was not collected by us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details;
• to request the immediate correction of inaccurate or incomplete personal data stored by us in accordance with Art. 16 GDPR;
• to request the deletion of your personal data stored by us in accordance with Art. 17 GDPR;
• to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR;
• to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request its transfer to another controller in accordance with Art. 20 GDPR;
• to object to the processing of your personal data under certain circumstances in accordance with Art. 21 GDPR;
• to withdraw your consent to us at any time in accordance with Art. 7 (3) GDPR. and
• to lodge a complaint with a supervisory authority (for Austria: Data Protection Authority, Barichgasse 40-42, A-1030 Vienna, “www.dsb.gv.at”) in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office for this purpose.

We do not process your data for the purpose of making decisions based solely on automated processing, including profiling, which have legal effects on you (Art. 22 GDPR).

To exercise your rights as a data subject, you can use the contact details provided in section 10 below.

This Privacy Policy applies in its current version. We reserve the right to amend this Privacy Policy at any time. If we make changes, we will take reasonable steps to inform you about them. The date of the most recent version can be found at the end of this Privacy Policy.

This is a translation of the original German Privacy Policy. It is provided for informational purposes only. In case of any conflict or deviation between this English translation and the German version, the German version shall be legally binding and prevail.

Address: PAYUCA GmbH, Handelskai 92, Gate 2, 3. OG, 1200 Vienna, Austria

Telephone: +43 1 307 5622

Fax: +43 1 307 5622 – 9

E-Mail: office@payuca.com

Commercial Register: FN 440762 f Handelsgericht Wien

VAT-Number: ATU69942315

DVR: 4017740

Managing Directors: Dominik Wegmayer

As of: 20251201