Privacy Policy for Heide Park App

CONTENTS

1 About this app

2 Contact details of the person responsible

3 Data protection team and data protection officer

4 What is personal data?

5 Information collected during download

6 Automatically collected data during use

7 Using the app

8 Analysis and tracking

8.1 Bugsnag

8.2 Google Firebase Analytics

8.3 Tracking of location data

9 In-app purchases

10 Registration

11 Push messages

13 Transfer to third countries

14 Disclosure and transmission of data

15 Changes of purpose

16 Storage duration

17 Your rights

17.1 General rights

17.2 Right of objection

17.3 Revocation of consent

17.4 Right of appeal

18 Contact

19 Changes to this privacy policy

 



1 About this app

The free Heide Park app is a practical tool for your visit to Heide Park Resort. It contains an interactive park map that you can use to navigate digitally through the park and quickly find opening times and entrances to rides, attractions, restaurants and other important locations such as lockers and toilets. The app also provides you with information on special offers for restaurants and shops. You can see all waiting times and opening times for rides and information about the start and end times of shows in the park at a glance. You can save your tickets, season passes or adventure passes in the app and also book tickets directly, buy souvenirs and plan your visit in advance. You will also receive general information about visitor services and can use the free Wi-Fi throughout the park.

When you use the app, we process your personal data. In the following, we would like to inform you about how, why and to what extent we process personal data when you use the app. You will also find information here about the legal basis for processing your data.

You can access this privacy policy at any time via the app by clicking on the menu item Infos > Datenschutz .

2 Contact details of the person responsible

If you have any further questions about data protection, please contact us. If you have any questions about the processing of your personal data or to assert your legal rights as a data subject, please contact us:

Heide-Park Soltau GmbH
Heide Park 1
29614 Soltau

Phone:+49 (0) 5191-6214900
E-mail: info(at)heide-park.de

 

3 Data protection team and data protection officer

The primary contact for all questions in connection with this statement is the Merlin data protection team:

Data.Protection@merlinentertainments.biz

You can contact the external data protection officer of Heide-Park Soltau GmbH directly at the following address:

Personal / Confidential - Daniela Schott, c/o intersoft consulting services AG, Beim Strohhause 17, 20097 Hamburg, e-mail: dschott@intersoft-consulting.de

4 What is personal data?

Personal data is all data that can be related to you personally, such as name, address, email addresses, user behaviour, user IDs - i.e. all data that can be used to identify you directly or indirectly.

5 Information collected during download

For reasons of transparency, we would like to point out that when you download the app, certain information is transmitted to the app store you have selected (e.g. Google Play or Apple App Store). This can be:

  • Your username
  • Your e-mail address
  • The customer number of your Google/Apple account
  • Time of the download
  • Payment information, if applicable
  • Individual device identification number
  • Advertising IDs


This data is processed exclusively by the respective app store and is outside our sphere of influence. No data is forwarded to us by the respective app store operator. There is no exchange of personal data between us and the Google Play Store or Apple App Store. We only collect the current download figures for our app.

 

6 Automatically collected data during use

Our app can be used via the Google Play Store on Android devices and via the App Store on Apple devices.

When you use the app, we automatically collect the following personal data in order to ensure the convenient use and functionality of our app:

  • IP address
  • Name of the mobile phone provider
  • Currently connected Wi-Fi SSID
  • Version of the app and build number
  • Operating system
  • Version of the operating system
  • Device name
  • Current time zone
  • Battery status (charged or not)
  • Bluetooth status (switched on or off)
  • User's preferred language
  • Each visit to the park/resort including date/time of first and last visit
  • Location, accuracy and date/time at regular intervals throughout the day (only during your stay at the park/resort)
  • Status of the location authorisation (activated or deactivated)
  • Date/time of entering/leaving a geofence region (when you enter an offered geofence region)
  • App interactions
  • Crash reports

The data is collected,

(1) to provide you with the service and the associated functions,

(2) to improve the functions and features of the app and

(3) prevent and eliminate misuse and malfunctions and

(4) to offer you a personalised guest experience.

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

This data processing is justified by the fact that (1) the processing is necessary for the fulfilment of the user contract between you as the data subject and us in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR for the use of the app, or (2) we have an overriding legitimate interest in ensuring the functionality and error-free operation of the app and in being able to offer a service in line with the market and interests, Art. 6 para. 1 sentence 1 lit. f GDPR, which outweighs your rights and interests in the protection of your personal data. The processing of the above-mentioned data is therefore necessary for this service.

7 Using the app

Within the app, you can enter a variety of information, such as creating tasks and planning, managing and editing activities.

This information includes, in particular, data on

  • Use of the interactive car park map with route planner
  • Querying the waiting times for rides
  • Information about start and end times of shows
  • Information about attractions, rides, restaurants and shops
  • Display of the opening hours of the park, attractions, rides, restaurants and shops
  • the retrieval of general information on visitor services and
  • Requesting information on special offers in relation to catering and shops.

In any case, your IP address and, if applicable, the data described above in section 6 will be processed. Insofar as this data is processed for the purpose of providing you with the desired service, the legal basis is Art. 6 para. 1 lit. b GDPR. This data processing is necessary for the use of the app.

8 Analysis and tracking

We use analysis and tracking tools within the app to track your user behaviour and personalise services and to improve our app

8.1 Bugsnag

We use Bugsnag, a service provided by Bugsnag Inc, 939 Harrison St, San Francisco, CA 94107, USA.

Scope and purpose of processing

Bugsnag enables us to identify errors when using the app that have led to a malfunction or crash. Bugsnag automatically collects a variety of data that helps us with troubleshooting and creates crash and error reports. The following data can be processed:

  • IP address
  • Crash data
  • Configuration data
  • Browser data
  • Device identification
  • Build data

Bugsnag will use this information on our behalf to evaluate your use of the app, determine the source of the error and thus enable us to rectify the error and optimise our app.

Storage duration

The data will be deleted after the purpose has been achieved, at the latest after 60 days.

Receiver

  • Bugsnag Inc, 939 Harrison St, San Francisco, CA 94107, USA

Third country transfer

The data is transferred to a Bugsang server in the USA. There is currently an adequacy decision by the EU Commission for the USA. However, only US companies that are certified in accordance with the EU-US Privacy Framework benefit from the privileges arising from this decision. Bugsnag is not certified under the EU-US Privacy Framework. We have concluded the standard contractual clauses of the EU Commission with Bugsnag to ensure an adequate level of data protection.

Legal basis

The legal basis for the data processing described is Art. 6 para. 1 sentence 1 lit. f GDPR.

Right of objection

You have the right to object to data processing concerning you. The objection leads to a balancing of interests. If we cannot prove compelling reasons worthy of protection that outweigh our interests, we may no longer process your data for the purposes described. However, we would like to point out that the data processing described is necessary for the secure and error-free operation of the app.

Further information on data protection and the use of data by Bugsnag can be found on the following Bugsnag website: https://docs.bugsnag.com/legal/privacy-policy/

8.2 Google Firebase Analytics

We use the Google Firebase tool, which includes the products Firebase Crashlytics and Firebase Performance. The provider is Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. ("Google").

Scope and purpose of data processing
Data processing is carried out for statistical purposes and for development or test procedures, for example to test and optimise different versions of our app. We also analyse the surfing behaviour of users for this purpose. By analysing the data obtained, we are able to obtain information about the use of the individual components of our app. The analysis is used exclusively to eliminate errors in the app or to further develop the app's infrastructure in a user-orientated manner.

Firebase Crashlytics is used to create and analyse crash reports in order to improve the stability of the app.

Firebase Performance is used to create and analyse "crash" reports on the network behaviour of the app in order to improve the stability of the infrastructure (including code sequences, affected versions, device information). The network behaviour between the app and its own end devices accessible via the Internet is considered.

Events are also logged as follows

  • Ticket purchase success
  • Subscription purchase success
  • Add ticket to favourites
  • Remove ticket from favourites
  • Payment method registration
  • Payment method error registration
  • Remove payment method
  • User logout

Reports on application speed and reports on application-related endpoint speed (Firebase standard reports) are also generated.

The following personal data is collected for the reports described:

  • Usage data (websites visited, interest in content, access times)
  • Meta/communication data (device information, IP addresses)
  • Transmission speed per IP mask
  • which resources are accessed from which IP masks
  • which process an IP mask performed before it encountered an error.

We would like to point out that Firebase is set so that the IP addresses are not stored completely, but are masked (pseudonymisation of the IP address, so-called "IP masking"). Your IP address is recorded by Google in masked form, so that no assignment to the calling end device is possible.

Storage period
The data is deleted as soon as it is no longer required for the stated purposes. The generated statistics and underlying data are not deleted. Firebase cookies have a maximum storage period of 14 months.

Receiver

The recipient of the data is Google Ireland Limited as the processor. We have concluded a data processing agreement with Google for this purpose. Other recipients may be:

  • Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

Third country transfer

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish a secure level of data protection. The parent company Google LLC is based in California, USA. There is currently an adequacy decision by the EU Commission for the USA. However, the privileges from the adequacy decision only apply to US companies that are certified in accordance with the EU-US Privacy Framework. Google LLC is certified under the EU-US Privacy Framework.

Legal basis
The legal basis for the data processing described is Art. 6 para. 1 sentence 1 lit. f GDPR.

Right of objection
You have the right to object to data processing concerning you. The objection leads to a balancing of interests. If we cannot prove compelling reasons worthy of protection that outweigh our interests, we may no longer process your data for the purposes described. However, we would like to point out that the data processing described is necessary for the secure and interest-orientated operation of the app.

8.3 Tracking of location data

If you have given us your consent, we will track the location of your mobile phone when you use our app and during your stay at Heide Park.

Scope and purpose of processing

Location data is collected by smartphones to localise mobile phone users. It enables the use of location-based services (LBS), such as map services, access control or location-based information via push notifications.

We use your device's location services and sensor data (e.g. Bluetooth data, beacon data, Wi-Fi access points, GPS data and mobile phone data), as some of our products and services use location data for access control purposes and/or to provide you with location-based information within Heide Park.

If you have activated persistent background location services on your device, we can determine the location of your device even if you are not using the services or products on your device. The persistent background location services use various technologies to determine your exact location, e.g. the location services of your operating system or browser, sensor data from your device (e.g. magnetometers, barometers, gyroscopes, accelerometers, compasses, Bluetooth data, beacon data, Wi-Fi access points, GPS data and mobile data).

Storage duration

The location data will be processed until you withdraw your consent and then deleted or anonymised.

Receiver

We will never pass on your location data to third parties unless you have expressly consented to this.

  • Heide-Park Soltau GmbH
  • MERLIN ATTRACTIONS OPERATIONS LIMITED

Third country transfer

There is no transfer to third countries.

Legal basis

The legal basis for the data processing described is your consent.

Cancellation option

You can revoke your consent to location tracking at any time with effect for the future. To do this, go to the settings of your end device and revoke the app's authorisation for location transmission. You can also change the settings for background location transmission in the general settings of your operating system, but you may then no longer be able to use certain services of other apps.

9 In-app purchases

The app allows you to plan your visit or short holiday, book tickets and buy souvenirs online using a browser via our website heide-park.de Please note the data protection declarations for the shop at https://shop.heide-park.de/policies/privacy-policy and our website at https://www.heide-park.de/informationen-daten/datenschutz/. The contract is concluded there.

10 Registration

You can use the app without registering. If you want to buy a ticket, a photo pass or souvenirs, you have the option of creating a customer account. However, this is done on our website and is not saved in the app. Please note the privacy policies for the shop at https://shop.heide-park.de/policies/privacy-policy and our website at https://www.heide-park.de/informationen-daten/datenschutz/.

11 Push messages

If you have given us your consent, we use the Google Cloud Messaging (Android) and Apple Push Notifications (iOS) services to send you push notifications.

Scope and purpose of processing

The Google Cloud Messaging (Android) and Apple Push Notifications (iOS) services we use generate a pseudonymous ID from the identifier of our app and your device identifier. This is stored on the push platform (possibly with settings selected by you and) the login data in order to make the content available to you. Your IP address is processed for data transmission. Google and Apple serve exclusively as transmitters.

The purpose of push notifications is to keep you even better informed about current offers, content, services or products and to send you this content in a targeted manner without you having to open our app. We can also send you general information about your stay with us in a targeted and - subject to your consent - location-based manner.

Storage duration

The pseudonymous ID and any settings made by you will be stored until you withdraw your consent or uninstall the app.

Receiver

  • Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Apple Inc, One Apple Park Way, Cupertino, California, USA

Third country transfer

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish a secure level of data protection. Data transfer to the USA is not excluded for the processing described above. There is currently an adequacy decision by the EU Commission for the USA. However, the privileges from the adequacy decision only apply to US companies that are certified in accordance with the EU-US Privacy Framework. Google LLC is certified under the EU-US Privacy Framework.

Legal basis

The legal basis for the described processing is your consent.

Cancellation option

You can revoke your consent at any time with effect for the future by deactivating push notifications in the settings of your device or by revoking the app's authorisation to send push notifications.

13 Transfer to third countries

When processing data in the context of using the app, we transfer personal data to the following third countries:

  • USA

To ensure an adequate level of data protection in these third countries, there are either adequacy decisions by the EU Commission or adequate and appropriate safeguards in the form of

  • EU standard data protection clauses pursuant to Art. 46 para. 2 lit. c GDPR and
  • Further technical and organisational protective measures, if necessary

Further information on recognising safe third countries can be found on the EU Commission's website.

14 Disclosure and transmission of data

Your personal data will only be passed on without your express prior consent in addition to the cases explicitly mentioned in this privacy policy if it is legally permissible or required. This may be the case, for example, if the processing is necessary to protect the vital interests of the user or another natural person.

14.1 Own administrative purposes, login data

The data you provide when registering will be shared within our Merlin Entertainments Limited group of companies for internal administrative purposes, including joint customer support, to the extent necessary.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in disclosing the data for administrative purposes within our group of companies and your rights and interests in the protection of your personal data within the meaning of Art. 6 para. 1 lit. f GDPR do not prevail.

14.2 Misuse, legal prosecution

If it is necessary to investigate unlawful or improper use of the app or for legal prosecution, personal data will be forwarded to law enforcement authorities or other authorities and, if necessary, to injured third parties or legal advisors. However, this only happens if there are indications of unlawful or abusive behaviour. Disclosure may also take place if this serves to enforce terms of use or other legal claims. We are also legally obliged to provide information to certain public authorities on request. These are law enforcement authorities, authorities that prosecute administrative offences subject to fines and the tax authorities.

Any disclosure of personal data is justified by the fact that (1) the processing is necessary to fulfil a legal obligation to which we are subject pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with national legal requirements to disclose data to law enforcement authorities or (2) we have a legitimate interest in disclosing the data if there are indications of abusive behaviour or to enforce our terms of use. national legal requirements for the disclosure of data to law enforcement authorities, or (2) we have a legitimate interest in disclosing the data to the aforementioned third parties if there are indications of abusive behaviour or to enforce our terms of use, other conditions or legal claims and your rights and interests in the protection of your personal data within the meaning of Art. 6 para. 1 lit. f GDPR do not prevail.

14.3 Own administrative purposes, service providers, order processing

We rely on contractually affiliated companies of the Merlin Group and the following third-party companies and external service providers to provide our services.

Any disclosure of personal data is justified by the fact that (1) we have a legitimate interest in disclosing the data for administrative purposes within our group of companies and your rights and interests in the protection of your personal data within the meaning of Art. 6 para. 1 lit. f GDPR are not overridden and (2) we have carefully selected our third-party companies and external service providers as processors within the framework of Art. 28 para. 1 GDPR, regularly checked them and contractually obliged them to process all personal data exclusively in accordance with our instructions.

14.4 Restructuring of the company

As part of the further development of our business, the structure of our company may change by changing its legal form or by founding, buying or selling subsidiaries, parts of the company or components. In such transactions, customer information may be passed on together with the part of the company to be transferred. Whenever personal data is passed on to third parties to the extent described above, we ensure that this is done in accordance with this data protection declaration and the applicable data protection law.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as required and your rights and interests in the protection of your personal data within the meaning of Art. 6 para. 1 lit. f GDPR do not outweigh this.

15 Changes of purpose

Your personal data will only be processed for purposes other than those described if this is permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes prior to further processing and provide you with all other relevant information.

16 Storage duration

We process and store your personal data to the extent necessary for the duration of our business relationship, which also includes the initiation and execution of a contract as well as the regular limitation period of three years for the defence against or assertion of legal claims.
 In addition, we are subject to various retention and documentation obligations, including those arising from the German Commercial Code (HGB) or the German Fiscal Code (AO). The retention periods specified there are six to ten years. During this time, the processing of data is restricted. The retention obligation begins at the end of the calendar year in which the offer was made or the contract was fulfilled.

We delete or anonymise your personal data as soon as it is no longer required for the purposes for which we collected or used it in accordance with the above paragraphs. As a rule, we store personal data for the duration of the user contract for the app plus a period of 60 days, during which we keep backup copies after deletion. If this data is no longer required for criminal prosecution or to secure, assert or enforce legal claims, it will then be deleted.

If you have given us your consent for a processing operation, the data associated with the granting of consent will be stored for the duration of the processing operation and for a further three years after the end of the processing operation within the scope of the statute of limitations. You can revoke your consent at any time with effect for the future. The legality of the data processing until the revocation remains unaffected.

17 Your rights

17.1 General rights

You have the following rights:

  • to request information about your personal data processed by us in accordance with Art. 15 GDPR;
  • in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or the completion of your personal data stored by us;
  • to request the deletion of your personal data stored by us in accordance with Art. 17 GDPR;
  • to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR;
  • in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller;

17.2 Right of objection

In accordance with Art. 21 GDPR, you have the right (i) under certain conditions to object to the processing of your personal data, which is based on Art. 6 para. 1 lit. e GDPR (in the public interest) or on Art. 6 para. 1 lit. f GDPR (to safeguard a legitimate interest), or (ii) to object to processing for direct marketing purposes.

17.3 Revocation of consent

In accordance with Art. 7 para. 3 GDPR, you can revoke your consent to us at any time. You can do this within the app by accessing the system settings and revoking authorisations and/or deleting cookies.

17.4 Right of appeal

You have the right to contact a supervisory authority in the event of complaints regarding the processing of personal data concerning you by us. The supervisory authority responsible for us is

The State Commissioner for Data Protection of Lower Saxony

Prinzenstrasse 5
30159 Hanover

Phone: 0511 120-4500
e-mail:   poststelle@lfd.niedersachsen.de

However, you can also contact any other supervisory authority.

18 Contact

You can find our contact details in section 1. When you contact us by email, the data you provide (email address, name and/or other contact details) will be stored by us in order to answer your questions and process your request. The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR. If your details relate to other communication channels (e.g. your telephone number), we assume that we may contact you via all communication channels provided in order to respond to your enquiry. You can of course revoke this consent at any time for the future.

Your data that we have received in the course of contacting you will be deleted as soon as it is no longer required for the purpose for which it was collected, your request has been fully processed and no further communication with you is necessary or desired by you and any statutory retention periods have expired.

19 Changes to this privacy policy

We reserve the right to change the privacy policy from time to time and to adapt it to changes in the processing of your personal data or to adapt it to the state of the art. The current version of the privacy policy is always available in the menu under Info> Privacy within the app.

Health