Skip to main content

Privacy Policy for the FlixTrain OMS mobile App

Version date: 19/03/2025

In this policy (hereinafter “Privacy Policy”), you will learn how your data is processed and what rights of privacy you have when you use FlixTrain OMS mobile App: An App for managing train operations (hereinafter also referred to as the “App”) provided by FlixTrain.        
        
You can find further legal information here: 

1.    Name and address of the controller

The controller of the processing of your personal data (Art. 4(7) GDPR) is:        
FlixTrain GmbH
      
Friedenheimer Brücke 16        
80639 Munich, Germany        
Telephone: +49 (0)30 300 137 300      
Email: info@flixbus.de  
  

2.  Contact details of the data protection officer  

Our company data protection officer is available to you at any time to answer all your questions and as a contact person on the subject of data protection:     
        
Flixtrain GmbH        
Friedenheimer Brücke 16        
80639 Munich, Germany        
Email: data.protection@flixbus.com        

For general questions about FlixTrain, please contact info@flixbus.de   

3.    Legal basis of data processing    

The processing of personal data is permitted if at least one legal basis listed below is complied with:    

  • Art. 6 para. 1(a) GDPR: the data subject has given his/her consent to the processing of the personal data concerning him/her for one or more specific purposes;    
  • Art. 6 para. 1(b) GDPR: the processing is necessary for the performance of a contract to which the data subject is a contracting party, or for the implementation of pre-contractual measures which are carried out at the request of the data subject;    
  • Art. 6 para. 1(c) GDPR: the processing is necessary for compliance with a legal obligation to which the controller is subject (e.E.g. a statutory retention obligation);    
  • Art. 6 para. 1(d) GDPR: the processing is necessary to safeguard the vital interests of the data subject or another natural person;   
  • Art. 6 para. 1(e) GDPR: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or    
  • Art. 6 para. 1(f) GDPR: the processing is necessary to safeguard the legitimate interests pursued by the controller or a third party, unless the opposing interests or rights of the data subject prevail (in particular where the data subject is a child).     

For processing carried out by us, we specify the applicable legal basis under Clause 12. Processing can also be based on more than one legal basis.     

4. Categories of recipients    

Under certain conditions, we transmit your personal data within the companies of Flix Group, or personal data from such companies is transferred to us, to the extent that is permissible. We also use external domestic and foreign service providers to handle our business transactions and work with partner companies at home and abroad. These include, for example:    

  • (IT) Service providers (internal/external)    
  • Shop operators    
  • Security companies    
  • (travel) insurers    
  • Other partners engaged for our business operations (e.g., auditors, banks, insurance companies, lawyers, supervisory authorities, other parties participating in company acquisitions)    

For more details please see the following:       
        
Microsoft: Data Privacy in the Trusted Cloud | Microsoft Azure         
AWS : AWS Privacy (amazon.com)        
Mixpanel: https://mixpanel.com/legal/privacy-policy         
Snowflake: https://www.snowflake.com/privacy-policy/         

The service providers and partner companies must provide guarantees that suitable technical and organizational measures are implemented by them in such a way that the processing meets legal requirements, and the rights of the data subjects are safeguarded.        

We transmit personal data to public bodies and institutions (e.g., police, public prosecutor’s office, supervisory authorities) if there is a corresponding obligation/authorization.        

For processing carried out by us, we specify the categories of the data recipients under Clause 12.     

5.    Requirements for the transfer of personal data to third countries     

As part of our business relationships, your personal data may be shared with or disclosed to third parties, who may also be located outside the European Economic Area (EEA), i.e., in third countries. Insofar as it is necessary, we will inform about the respective particulars of the transfer to third countries in connection with the processing carried out by us.         

The European Commission certifies that some third countries have data protection that is comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be downloaded from: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html).         

However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection by reason of a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed.         
This is possible, for example, via binding company regulations (referred to as “binding corporate rules”), standard contractual clauses of the European Commission for the protection of personal data, certificates and recognized codes of conduct.        
Insofar as it is necessary for your booking and the associated providing and processing of transport services, the transmission of personal data required for this to third countries is permitted in accordance with Art. 49 para. 1(b) GDPR.        

Please contact our data protection officer if you would like more detailed information on this topic.       

6.    Storage period and data deletion      

The storage period of the personal data collected depends on the purpose for which we process the data. The data will be stored for as long as this is necessary to achieve the intended purpose.   
       
In the case of processing carried out by us, we specify how long the data will be stored by us. If no explicit storage period is specified below, your personal data will be erased or blocked as soon as the purpose or legal basis for the storage no longer applies.         

However, storage can take place beyond the specified time in the event of a(n) (imminent) legal dispute with you, or if other legal proceedings are initiated, or if storage is stipulated by statutory provisions to which we as the controller are subject. If the storage period prescribed by statutory provisions expires, the personal data will be blocked or erased unless further storage by us is required and there is a legal basis for this.       

7.    Automated decision making (including profiling)      

We do not intend to use any personal data collected from you for any processes involving automated decision-making (including profiling). If we wish to implement these procedures, we will inform you of this separately in accordance with legal provisions.       

8.    No obligation to provide personal data      

We do not fundamentally make the conclusion of contracts with us dependent on you providing us with personal data beforehand. In principle, there is also no statutory or contractual obligation to provide us with your personal data; however, we may only be able to provide certain offers to a limited extent, or not at all, if you do not provide the data required for this.        

9.    Statutory duty to transmit certain data      

Under certain circumstances, we may be subject to a special statutory or legal obligation to provide personal data to third parties, in particular public bodies.       

10.    Data security      

We use suitable technical and organizational measures to safeguard your data against accidental or intentional manipulation, partial or complete loss or destruction, or against unauthorized access by third parties, taking into consideration the latest technology, the implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including the probability and effect of such an event) for the data subject. Our security measures are continuously being improved to take into account technological developments.

We will be happy to provide you with further information about this upon request. Please contact our data protection officer or our CISO (chief information security officer) in this regard:       

Flix SE        
Friedenheimer Brücke 16        
80639 Munich, Germany        
Email: it-security@flixbus.com      

11.    Your rights      

You may assert your rights as a data subject regarding your personal data at any time, in particular by contacting us using the contact details provided in Clause 1. Data subjects have the following rights under the GDPR:        

Right to information   
You can request information in accordance with Art. 15 GDPR about your personal data processed by us. In your request for information, you should clarify your concern to make it easier for us to compile the necessary data. Upon request, we will provide you with a copy of the data that are the subject matter of the processing. Please note that your right to information may be limited under certain circumstances in accordance with statutory provisions.        

Right to rectification   
If the information relating to you is not (any longer) correct, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request completion.        

Right to erasure   
You may request the erasure of your personal data in accordance with the provisions of Art. 17 GDPR. Your right to erasure depends, among other things, on whether the data relating to you are still required by us to perform our statutory duties.        

Right to restriction of processing   
In accordance with the provisions of Art. 18 GDPR, you have the right to demand a restriction of processing of the data relating to you.        

Right to data portability   
In accordance with the provisions of Art. 20 GDPR, you have the right to receive the data that you have provided to us in a structured, commonly-used and machine-readable format, or to request the transmission to another controller.        

Right to object   
In accordance with Art. 21 para. 1 GDPR, you have the right to object to the processing of your data at any time for reasons relating to your particular situation.       

Right to appeal        
If you are of the opinion that we have not complied with the provisions of data protection regulations when processing your data, you can complain to a data protection supervisory authority about the processing of your personal data, such as to the data protection supervisory authority under whose jurisdiction we fall: 
         
Bayerisches Landesamt für Datenschutzaufsicht [Bavarian State Office for Data Protection Supervision], Promenade 18, 91522 Ansbach, Germany        
        
Right to withdraw consent        
You can withdraw your consent to the processing of your data at any time with future effect.        

12. Use of the app      

The app is primary used by company employees, with extended access to authorized external partners (e.g. Locomotive drivers from ELL; Hectorrail), the authentication is implemented through Microsoft Azure AD credentials. The users can´t create an account inside the app, they can only login with the credentials provided by Flix.      

12. 1 User Access and Authentication     

The processing of personal data of the employee is necessarily to create and maintain an account in the App.       

For that purpose, we process the following personal data:

  • Login credentials

The legal basis is Art 6 para.1(b) GDPR-contractual obligation.       

12.2 Data collection and Analytics      

  • Technical performance monitoring and crash reporting through DataDog platform

  • Collection of usage analytics for app performance optimization

  • Crash reports include standard device information and app state at time of incident               

The data collected and analyzed is:

  • IP address,  
  • Date and time of request,  
  • Time zone difference to Greenwich Mean Time (GMT),        
  • Data volume transferred in each case,  
  • Website from which the request comes,  
  • Browser,  
  • Operating system and its interface,  
  • Language and version of the App,  
  • Name of your mobile device,  
  • Language, region and version of the mobile device 

The legal basis is Art 6 paragraph 1 (f) of the GDPR. Our legitimate interest is providing to improve the product.       

12.3 Location Services      

  • Specific features that could be improved by having user location data

  • Location access is permission-based and opt-in only

  • Location data is only collected when explicitly authorized by the user       
           
    •  Location data (These are only stored locally on your device and not shared with Flix SE)

The legal basis is Art. 6 paragraph 1(a) of the GDPR. Section 25 paragraph 1 of the TDDDG (Telekommunikation-Digitale Dienste-Datenschutz-Gesetz.