Jourma

Privacy Policy for the App — Jourma GmbH

Legally Binding Version: German

This privacy policy applies to the mobile application "Jourma" for iOS and Android.

Thank you for using our mobile application "Jourma" (hereinafter "App"). The protection of your Personal Data is important to us. We want you to feel safe when using our App. We process your Personal Data in accordance with the General Data Protection Regulation (DSGVO) and the data protection provisions applicable in Germany.

1. Contact Details of the Data Controller

The Data Controller within the meaning of the DSGVO is:

Jourma GmbH Taunustor 1 60310 Frankfurt am Main / Deutschland

Managing Director (Geschaftsfuhrer): Hakan Kocabas Commercial Register: Amtsgericht Frankfurt am Main, HRB 136208 USt-IdNr. (VAT ID): DE412018648

Telefon: +49 69 5050604633 E-Mail: info@jourma.de Website: https://jourma.de

2. Contact Details for Data Protection Matters

If you have any questions regarding data protection, please contact:

E-Mail: datenschutz@jourma.de

Postal address: Jourma GmbH, Taunustor 1, 60310 Frankfurt am Main, Deutschland.

3. Scope of This Privacy Policy

This Privacy Policy applies to:

(a) the mobile application "Jourma" for iOS and Android (hereinafter "App"); (b) the WhatsApp integration service ("WhatsApp Travel Management"), which is available through the App; (c) all associated App services and features.

4. Scope of Processing of Personal Data

As a general principle, we process Personal Data of our users only insofar as this is necessary for the provision of a functional App and our content and services. Beyond this, the processing of Personal Data of our users is carried out on a regular basis only with their Consent. An exception applies in cases where obtaining prior Consent is not possible for practical reasons and the processing of the data is permitted by statutory provisions.

We may process the following categories of data:

  • Master data (e.g. first name, last name)
  • Contact data (e.g. email address, telephone number, WhatsApp telephone number)
  • Communication data (e.g. WhatsApp messages)
  • Connection data (e.g. IP address, HTTP headers, user agent)
  • Consent data (e.g. Consent status for proactive notifications)
  • Device data (e.g. device type, screen resolution, operating system, language, app version)
  • Identifiers (e.g. user ID, device ID, advertising ID, pseudonymised user identifiers)
  • Location data (e.g. country, region, city, GPS coordinates when using location-based features)
  • Usage data (e.g. date and time of visit, duration of visit, buttons clicked, feature interactions)
  • Data protection requests (e.g. your specific request, our response, our documentation of fulfilment of the request)
  • Travel data (e.g. itineraries, booking information, flight data, travel documents)
  • Subscription data (e.g. plan type, subscription status, renewal and extension dates, transaction identifiers, Free Trial data)
  • AI processing data (e.g. user queries and messages submitted for AI-powered processing, generated responses)

4.1 Registration and Account (App)

Use of the App requires registration. The following data is collected during registration: first name, last name, email address and a password. Optionally, you may register via third-party authentication services (Google Sign-In, Apple Sign In). In this case, your name, email address and, where applicable, profile picture are transmitted by the respective provider.

The processing is carried out on the basis of Art. 6 Abs. 1 lit. b DSGVO (performance of a contract) for the provision of the service.

4.2 WhatsApp Integration Service

The WhatsApp integration service ("WhatsApp Travel Management") is an optional premium feature available exclusively as part of the Pro Plan. The service enables users to interact with their travel data via the WhatsApp messaging platform.

Prerequisites for use: (a) An active Pro Plan subscription; (b) A valid WhatsApp account; (c) Completion of the account linking process (OTP verification), through which the user voluntarily links their WhatsApp telephone number with their Jourma account.

Categories of data processed:

  • WhatsApp telephone number (for account linking)
  • Messages and queries transmitted via the WhatsApp channel
  • Travel data retrieved or transmitted in the course of the interaction
  • Conversation history
  • Consent status for proactive notifications
  • Selected AI provider

Legal Bases: (i) Art. 6 Abs. 1 lit. b DSGVO (performance of a contract) -- for the processing of messages, travel data and account information necessary for the provision of the WhatsApp integration service included in the Pro Plan; (ii) Art. 6 Abs. 1 lit. a DSGVO (Consent) -- for the sending of proactive notifications (e.g. flight status changes, travel reminders). Consent may be withdrawn at any time, including by entering "STOP" in the WhatsApp chat or in the App settings.

4.3 AI-Powered Processing

Within the scope of the WhatsApp integration service and other App features, user queries are processed by AI systems (including large language models). The user may select the AI provider used for processing their queries within the WhatsApp channel. The available AI providers are listed in Section 8.2.

Categories of data processed:

  • User messages and queries
  • Travel data required to answer the query (e.g. flight numbers, itineraries, booking details)
  • Generated responses

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (performance of a contract) -- the AI-powered processing is an integral part of the services included in the Pro Plan.

No fully automated decisions with legal or similarly significant effects for the user within the meaning of Art. 22 DSGVO are made. The AI-generated responses serve exclusively informational and travel planning support purposes.

4.4 Subscription Management

In connection with the management and provision of subscriptions (Free Plan, Pro Plan), we process subscription data. Payment processing is handled by the respective app store operators (Apple Inc. and Google LLC), not by Jourma. Jourma receives from the app store operators only anonymised transaction identifiers and the subscription status.

For subscription management and analytics, we use Adapty, Inc. as a Data Processor (see Section 8.3).

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (performance of a contract).

5. Legal Bases for the Processing of Personal Data

Insofar as we obtain Consent from the data subject for the processing of Personal Data (e.g. for proactive WhatsApp notifications), Art. 6 Abs. 1 lit. a DSGVO serves as the Legal Basis.

Where we process your data to carry out pre-contractual measures at your request (e.g. prior to registration for the use of our App) or for the performance of a contract (e.g. provision of the Pro Plan including WhatsApp integration and AI-powered features), our Legal Basis is Art. 6 Abs. 1 lit. b DSGVO.

Where we process data to fulfil a legal obligation (e.g. tax-related retention requirements), Art. 6 Abs. 1 lit. c DSGVO constitutes the Legal Basis.

In all other cases, we process Personal Data pursuant to Art. 6 Abs. 1 lit. f DSGVO on the basis of Legitimate Interests, which we describe in the section on the purposes of data processing.

6. Purposes of Data Processing

Personal Data is processed for the following purposes:

  • Provision of the service: Enabling the use of our App and the WhatsApp integration service, ensuring the continuous functionality and security of our information technology systems, general administration of our service (Art. 6 Abs. 1 lit. b, f DSGVO).

  • Travel management: Processing of travel data, booking information, flight data and related information for the provision of the App's travel management features (Art. 6 Abs. 1 lit. b DSGVO).

  • WhatsApp integration: Processing of WhatsApp messages, travel data and account information for the provision of the WhatsApp integration service, including AI-powered responses and proactive notifications (Art. 6 Abs. 1 lit. b DSGVO for service provision; Art. 6 Abs. 1 lit. a DSGVO for proactive notifications).

  • AI-powered processing: Transmission of user queries to selected AI providers for the generation of responses and travel recommendations (Art. 6 Abs. 1 lit. b DSGVO).

  • Subscription management: Management of subscription plans, trial periods, renewals and cancellations via Adapty as Data Processor (Art. 6 Abs. 1 lit. b DSGVO).

  • Analytics: Provision of analytical tools that recognise users of our service via identifiers, analyse usage behaviour and use the data to optimise the App (Art. 6 Abs. 1 lit. a DSGVO). No evaluation for marketing purposes takes place in this context.

  • Data protection matters: Processing and responding to your data protection-related requests and storage of your requests for the fulfilment of documentation obligations (Art. 6 Abs. 1 lit. f DSGVO).

  • Compliance: Enforcement of our own legal claims and compliance with other legal provisions (Art. 6 Abs. 1 lit. c, f DSGVO).

7. Data Recipients

The data we collect is only disclosed where a data protection Legal Basis exists in the specific case.

We use external service providers for certain features of our App. As is common in many organisations, we use both domestic and international partners for various business processes, including in the areas of IT, telecommunications, sales and marketing. These service providers act exclusively in accordance with our instructions and are bound to comply with data protection regulations on the basis of a Data Processing Agreement (DPA) pursuant to Art. 28 DSGVO.

The following categories of recipients -- generally acting as Data Processors -- may, under certain circumstances, have access to your Personal Data:

  • Technical service providers that ensure the operation of our App and handle the processing of stored or transmitted data (e.g. data centres, cloud infrastructure, IT security service providers). The transfer is based on Art. 6 Abs. 1 lit. b or f DSGVO, insofar as they do not act as Data Processors.

  • AI service providers acting as Data Processors on behalf of Jourma to process user queries and generate responses (Art. 6 Abs. 1 lit. b DSGVO).

  • Subscription management service providers acting as Data Processors on behalf of Jourma to process subscription and transaction data (Art. 6 Abs. 1 lit. b DSGVO).

  • Public authorities and governmental bodies, insofar as we are legally obliged to disclose your data, in particular in the case of binding requirements, official requests, court orders and legal proceedings for the prosecution or enforcement of rights (Art. 6 Abs. 1 lit. c DSGVO).

  • External business partners, such as auditors, banks, insurance companies, legal advisors or supervisory authorities. The data transfer is based on Art. 6 Abs. 1 lit. b or f DSGVO.

  • In all other cases, we only disclose Personal Data to third parties where this is legally permissible and necessary for the performance of a contract or for the implementation of pre-contractual measures at your request (Art. 6 Abs. 1 lit. b DSGVO) or where you have given us your express Consent pursuant to Art. 6 Abs. 1 lit. a DSGVO.

8. Data Processors and Third-Party Providers

8.1 App Data Processors -- Cloud Infrastructure and Operations

(a) Amazon Web Services (AWS) -- Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxemburg -- Cloud infrastructure for all App backend services. Data is processed and stored in the EU region (Frankfurt, eu-central-1).

  • DPA: Integrated into the AWS service agreement.
  • Privacy notice: https://aws.amazon.com/privacy/
  • Third-country transfer: Not required (processing within the EU).

(b) Amplitude Inc. (San Francisco, USA) -- App analytics and usage statistics. Processes usage events, device information and session data.

(c) Google Firebase -- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland -- Authentication (Firebase Auth), crash reporting (Crashlytics), analytics and push notifications.

(d) Shorebird (USA) -- Code push service for app updates. Processes anonymous device identifiers and app version.

(e) Branch.io (USA) -- Deep linking service. Processes device information and link analytics.

8.2 AI Service Providers (Data Processors)

Within the scope of the WhatsApp integration service and other AI-powered features of the App, the user may select one of the following AI providers for the processing of their queries. All AI service providers act as Data Processors on behalf of Jourma within the meaning of Art. 28 DSGVO.

(a) OpenAI, Inc. (San Francisco, USA) -- Operator of the GPT models.

  • Data processed: Messages and queries submitted by the user, travel data required for generating a response.
  • Retention period: Queries are retained for a maximum of 30 days for abuse and security monitoring and are subsequently deleted.
  • DPA: https://openai.com/policies/data-processing-addendum/
  • Privacy notice: https://openai.com/policies/privacy-policy/
  • Third-country transfer: Adequacy Decision (EU-US Data Privacy Framework) or Standard Contractual Clauses (SCCs) (Art. 46 Abs. 2 lit. c DSGVO).

(b) Anthropic, Inc. (San Francisco, USA) -- Operator of the Claude models.

  • Data processed: Messages and queries submitted by the user, travel data required for generating a response.
  • Retention period: Data is deleted within 30 days of processing.
  • DPA: Integrated into the Anthropic Commercial Terms of Service; includes EU Standard Contractual Clauses (SCCs) (Module 2 and 3), UK and Switzerland addenda.
  • Privacy notice: https://www.anthropic.com/privacy
  • Third-country transfer: Standard Contractual Clauses (SCCs) (Art. 46 Abs. 2 lit. c DSGVO).

(c) Google LLC (Mountain View, USA) -- Operator of the Gemini models.

Processing by the AI service providers is limited to the processing of messages submitted by the user for the purpose of generating a response. No storage of Personal Data by the AI service providers beyond the immediate query processing takes place, unless required for the fulfilment of statutory obligations or for abuse monitoring. The data is not used for training of AI models.

The user is informed of the respective service provider when selecting the AI provider in the WhatsApp channel. The first message from Jourma in the WhatsApp channel contains a corresponding notice regarding AI-powered processing and the currently selected AI provider.

8.3 Adapty (Data Processor for Subscription Management)

Adapty, Inc. (USA) -- Subscription management platform. Adapty acts as a Data Processor on behalf of Jourma within the meaning of Art. 28 DSGVO.

Categories of data processed:

  • Anonymised or pseudonymised user identifiers
  • Subscription status and history (e.g. plan type, start date, renewal date, cancellation date)
  • Transaction identifiers and purchase receipts (as provided by the app stores)
  • Device and platform information relevant to the subscription (e.g. operating system, app store region)
  • Free Trial eligibility and usage data

Purpose: Subscription management, analytics and optimisation.

8.4 Meta Platforms (Independent Data Controller)

Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Irland.

WhatsApp Business API: In connection with the WhatsApp integration service, the WhatsApp Business API by Meta is used. Meta Platforms Ireland Ltd. acts as an independent Data Controller within the meaning of the DSGVO with respect to the data processed within the WhatsApp platform itself. Jourma is the Data Controller for the data processing carried out within the scope of the WhatsApp integration within Jourma's own systems.

8.5 App Store Operators (Independent Data Controllers)

The app store operators process payment and subscription data independently in accordance with their own privacy policies. Jourma has no control over the independent data processing carried out by the app store operators.

(a) Apple Inc. (Cupertino, USA) -- App Store, in-app purchases, Apple Sign In.

(b) Google LLC (Mountain View, USA) -- Google Play Store, in-app purchases, Google Sign-In.

8.6 Third-Party APIs (Data Recipients)

The following third-party services are used in the App for specific features. These services receive only technical request data and generally no Personal Data:

  • Google Places API (Google LLC) -- Location search and information. Receives GPS-based search queries.
  • Amadeus IT Group SA (Madrid, Spanien) -- Flight booking data.
  • AeroDataBox (via RapidAPI) -- Flight information. Receives exclusively flight numbers, dates and IATA codes (no Personal Data).

9. Transfer to Third Countries

We may use services whose providers are located in part in so-called third countries (outside the European Union (EU) or the European Economic Area (EEA), in particular in the USA) or transfer Personal Data thereto, i.e. to countries whose level of data protection does not correspond to that of the European Union.

Adequacy Decision (Art. 45 DSGVO): Where an Adequacy Decision of the European Commission exists for such countries, we base the data transfer thereon. For the USA, this applies only where the US recipient has certified under the EU-US Data Privacy Framework. This applies in particular to:

  • Google LLC (Firebase, Gemini, Places API)
  • Meta Platforms Inc. (WhatsApp)

Standard Contractual Clauses (SCCs) (Art. 46 Abs. 2 lit. c DSGVO): Where no Adequacy Decision exists for the country in question, we have put in place appropriate contractual safeguards to ensure an adequate level of data protection for any data transfers. These include, in particular, the EU Standard Contractual Clauses (SCCs). This applies in particular to:

  • OpenAI, Inc. (AI processing)
  • Anthropic, Inc. (AI processing)
  • Amplitude Inc. (App analytics)
  • Adapty, Inc. (subscription management)
  • Shorebird (code push)
  • Branch.io (deep linking)
  • Apple Inc. (App Store, Sign In)

Where this is not possible, we base the data transfer on derogations pursuant to Art. 49 DSGVO, in particular your express Consent or the necessity of the transfer for the performance of a contract or for the implementation of pre-contractual measures.

Where a transfer to a third country is planned and neither an Adequacy Decision nor appropriate safeguards are in place, the possibility and risk exist that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed.

10. Duration of Data Storage

We store your Personal Data only for as long as is necessary for the respective purposes for which it was collected. The following retention periods apply in detail:

Data category Retention period
Account data (App) Until account deletion by the user
Travel data (App) Until deletion by the user or account deletion
WhatsApp telephone number assignment Until account unlinking (immediate deletion)
WhatsApp conversation history 30 days after account unlinking
AI query processing (OpenAI/Anthropic) Maximum 30 days with the AI provider
Subscription data (Adapty) For the duration of the subscription plus statutory retention periods
Proactive notification Consent Until withdrawal or until account unlinking
Server logs 90 days

Statutory retention periods and deletion obligations remain unaffected, e.g. pursuant to Sec. 257 HGB or Sec. 147 AO (up to 10 years for tax-relevant documents). After expiry of the statutory retention periods, the data is deleted, unless further storage is necessary and covered by a Legal Basis.

Upon account deletion: All Personal Data associated with the account, including WhatsApp-related data, is deleted as part of the standard account deletion process, subject to statutory retention obligations.

11. Your Rights as a Data Subject

You have the following rights:

11.1 Right of Access (Art. 15 DSGVO)

You have the right to obtain information from us about the Personal Data concerning you. This includes, in particular, information about the purposes of processing, the categories of Personal Data, the recipients, the retention period and the existence of further rights. This requires a request on your part, which is to be sent to us by email to datenschutz@jourma.de or by post to the address stated above.

11.2 Right to Object and Withdrawal of Consent

Pursuant to Art. 21 DSGVO, you have the right to object at any time, on grounds relating to your particular situation, to the processing of Personal Data concerning you. We will then no longer process your Personal Data unless we can demonstrate compelling Legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. Where we process your data for the purposes of direct marketing, we will comply with your objection without requiring any justification.

Pursuant to Art. 7 Abs. 3 DSGVO, you have the right to withdraw your Consent at any time. This has the consequence that we may no longer continue the data processing based on that Consent in the future. The withdrawal does not affect the lawfulness of the processing carried out on the basis of the Consent prior to the withdrawal.

For the WhatsApp integration service: You may withdraw your Consent to proactive notifications at any time by:

  • Deactivating in the App settings;
  • Entering "STOP" in the WhatsApp chat;
  • Unlinking the account in the App settings.

11.3 Right to Rectification (Art. 16 DSGVO)

Insofar as Personal Data concerning you is inaccurate, you have the right to demand that we rectify it without undue delay.

11.4 Right to Erasure (Art. 17 DSGVO)

Under the conditions set out in Art. 17 DSGVO, you have the right to demand the erasure of Personal Data concerning you. A right to erasure exists in particular where the data in question is no longer necessary for the purposes for which it was collected or processed, where the retention period has expired, where an objection has been lodged or where the processing is unlawful.

When using the App, you may delete your account in the App settings. All Personal Data associated with the account will then be deleted, subject to statutory retention obligations.

11.5 Right to Restriction of Processing (Art. 18 DSGVO)

You have the right to demand from us the restriction of the processing of your Personal Data, in particular where the accuracy of the data is contested, the processing is unlawful, or we no longer require the data but you need it for the establishment, exercise or defence of legal claims.

11.6 Right to Data Portability (Art. 20 DSGVO)

You have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, insofar as the statutory requirements are met.

12. Right to Lodge a Complaint

If you believe that the processing of your Personal Data infringes data protection regulations, you have the right pursuant to Art. 77 DSGVO to lodge a complaint with a data protection supervisory authority.

The contact details of the supervisory authority responsible at our place of business are:

Der Hessische Beauftragte fur Datenschutz und Informationsfreiheit Gustav-Stresemann-Ring 1 65189 Wiesbaden / Deutschland

Telefon: 0611-1408 0 E-Mail: poststelle@datenschutz.hessen.de

13. Necessity of Providing Data

13.1 App

Use of the App requires registration with the provision of name, email address and password. Without this data, you cannot use the App. The provision of the registration data is a contractual requirement pursuant to Art. 6 Abs. 1 lit. b DSGVO.

13.2 WhatsApp Integration Service

Use of the WhatsApp integration service requires the voluntary linking of your WhatsApp telephone number with your Jourma account. Without this linking, the WhatsApp integration service cannot be provided. The provision of the WhatsApp telephone number is a contractual requirement for the Pro Plan with WhatsApp integration.

13.3 Subscription (Pro Plan)

Payment processing for the Pro Plan is handled exclusively by the app store operators (Apple Inc. or Google LLC). Jourma does not receive or process any payment information (e.g. credit card data) directly.

14. Automated Decision-Making

Automated decision-making including profiling within the meaning of Art. 22 DSGVO, which produces legal effects or similarly significantly affects you, does not take place.

The AI-powered processing of user queries within the scope of the WhatsApp integration service and the App does not constitute automated decision-making within the meaning of Art. 22 DSGVO, as the generated responses are exclusively informational in nature and do not produce any legal or similarly significant effects on the user.

15. Updates to This Privacy Policy

We reserve the right to supplement or amend this Privacy Policy as necessary, in particular in the event of changes to our services, new legal requirements or the introduction of new processing activities. The current version is available in the App and on our website at all times.