Privacy policy of the eBike Flow app

Robert Bosch GmbH (hereinafter "Bosch eBike Systems" or "we" or "us") welcomes you to our eBike Flow app and subdomains of the services (hereinafter "online offer"). Thank you for your interest in our company and our products.

The protection of your privacy in the processing of personal data as well as the security of all business data is an important concern for us. We process personal data collected during your visit to our online offer confidentially and only in accordance with legal regulations. Data protection and information security are anchored in our corporate policy.

The Data Controller responsible for processing your data is:

Robert Bosch GmbH

Robert-Bosch-Platz 1

70839 Gerlingen-Schillerhöhe

Germany

E-mail: kontakt@remove.this.bosch.de

Exceptions are explained in this data protection notice.

1.1 Rights of the Controller

To exercise your rights, please use the following link:

https://request.privacy-bosch.com/entity/RB/

To report data protection incidents, use the following link:

https://www.bkms-system.net/bosch-datenschutz

1.2 Questions and suggestions regarding data protection

If you have any questions or suggestions regarding data protection, please feel free to contact us.

You can reach us at:

E-mail: kontakt@bosch.de

Tel.: +49 711 400 40990

1.3 Contacting the data protection officer

If you have any complaints or suggestions regarding the processing of your personal data, we recommend that you contact our data protection officer:

Data Protection Officer

Department for Information Security and Data Protection

Bosch Group (C/ISP)

P.O. Box 30 02 20

70442 Stuttgart, Germany

Germany

or

E-mail to: DPO@remove.this.bosch.com

2.1 Principles

Personal data means any information relating to an identified or identifiable natural person, such as name, address, telephone number, e-mail addresses, contract master data, contract billing and payment data, that express the identity of a person.

We collect, process and use personal data only if there is a legal basis for doing so.

2.2 Categories of data processed

The following categories of data are processed:

• user-related data (e.g. name, telephone, e-mail, address)
• device-related data (e.g. manufacturer and model of the eBike, serial number, bike ID eBike settings, statistics and activity data)
• service-related data (e.g. GPS data, activity)
• Health data (e.g. heart rate)
• Log files (e.g. IP address)

2.3 Processing purposes and legal bases

We and the service providers commissioned by us process your personal data for the following purposes:

2.3.1 Provision of our online offer

When using our online offer, certain information is automatically transmitted to us and stored in so-called log files. In particular, the following information is processed in the log files:

• IP address
• Name of the retrieved files or information
• Date, time and duration of the retrieval
• Amount of data transferred
• http status code
• Device type (e.g. iOS, Android, operating system)

The log files are processed for the purpose of providing and optimising our online offer, to ensure technical operation and to identify and eliminate malfunctions and to investigate criminal offences.

The legal basis for this is the legitimate interest. The legitimate interest of Bosch eBike Systems consists of the purposes just mentioned. The data is deleted after 30 days if it is no longer needed for the purposes described. Log files whose further storage is necessary for evidentiary purposes are excluded from deletion until the final investigation of the relevant incident and, in individual cases, may be forwarded to investigating authorities within the framework of the legal regulations. We also perform eBike tuning detection. The legal basis for this is legitimate interest. The legitimate interest of Bosch is to determine the intended use of Bosch eBike systems and, if necessary, to be able to check existing warranty and guarantee claims on the Bosch eBike system and other bicycle components.

2.3.2 Registration with the online offer/previous setup of a central SingleKey ID at Bosch.IO GmbH

In order to be able to use our services, you must register with our online offer. You can only register for our online offer if you have previously set up a central SingleKey ID. The central SingleKey ID was developed by Bosch.IO GmbH ("BIO") for the Bosch group of companies to enable common users to use services from different companies in the group with uniform access data and to increase data security.

BIO as the responsible party for SingleKey ID and Bosch eBike Systems processes your data under joint responsibility in accordance with the rules of the General Data Protection Regulation and national data protection laws. We have agreed in writing on this joint responsibility for data processing in accordance with Art. 26 of the GDPR (Joint Controllership) and, in particular, regulated and defined the responsibilities and accountabilities of the parties involved. For more detailed information on the individual processing operations, please refer to BIO's data protection notice under point 13 ("Information on joint responsibility towards data subjects pursuant to Art. 26 (2) sentence 2 GDPR") https://singlekey-id.com/data-protection-notice/.

If you wish to register with BIO for a central SingleKey ID, the General Terms and Conditions of Use for the Registration and Use of a Central SingleKey ID and BIO's Privacy Policy apply. After successful registration, you can also log in to this online offer using the access data of the central SingleKey ID. For this purpose, we provide you with a BIO login mask for the central SingleKey ID. BIO then confirms your authorisation and provides us with the following personal information:

• E-mail address

Your password will not be transmitted to us.

With regard to further data transfers within the Bosch Group in connection with the central SingleKey ID, we refer to the privacy policy information of BIO. You can terminate your user agreement for the central SingleKey ID at any time by unsubscribing. Please click on the following link:

https://myaccount.bosch.com/BeaPUssWeb/unregistration

The aforementioned personal data are processed for the purpose of identification and contract processing (conclusion, execution and termination of the contract).

The legal basis for data processing is the Contract.

After setting up the user account, further voluntary information (e.g. gender, date of birth, height and weight, resting pulse and maximum pulse) can be provided within our online offer in the user account.

User accounts that are inactive for longer than 24 months are automatically deleted irretrievably. Inactivity occurs when user accounts are not used, e.g., by logging into the online offering or using services. Before deleting the inactive user account, we will send an information e-mail to the unused user accounts and give users the opportunity to object to the deletion. If the request remains unsuccessful, the unused user accounts are finally deleted.

2.3.3 Provision of services

Via our online offer, information about your eBike is presented and visualised for you in a way that is individual and tailored to your needs. Among other things, you will receive an overview of the components used as well as further technical information about your eBike including the current eBike settings.

To make use of our services, your user account must be linked to an eBike. The link is established by connecting to your user account via Bluetooth from the Bosch Remote Controller (BRC). To establish such a Bluetooth connection to devices with the Android operating systems, Android requires access to your position data (e.g. GPS data) from us. For this purpose, we process your position data to establish a Bluetooth connection with an Android device.

When linking to your user account, the following information of the hardware and software component of your eBike ("device-related data") is processed, among others:

• Manufacturer of the eBike
• Model of the eBike (incl. bike parameters)
• Bike ID
• Bike medel ID
• Serial number
• Material number
• Date of manufacture
• Version number of hardware and software
• Drive unit (motor)
• Battery status
• eBike settings (e.g. support modes, language, time, time zone)
• Statistics (e.g. total mileage, charging cycles, ABS events …)
• Activity data (e.g., total trip time, completed and upcoming service intervals).

In addition to the general services, you have the option of using other free and paid services.

These are described below and depend on your selection. Depending on your selection, personal data will be processed accordingly when using the Services ("Service-related data"). Service-related data is processed for the purpose of providing the functionalities.

The legal basis for the processing of service-related data is the Contract, unless otherwise stated below.

When booking paid services (Flow+), the data for payment processing is collected and processed exclusively and directly by the App Store operators for devices with the Android and iOS operating systems.

2.3.3.1 Home Screen

The home screen gives you a quick overview of all the important information such as battery status, remaining range, distance travelled and the next service appointment. Your eBike model is also displayed on the Home Screen, provided that the relevant eBike manufacturer supports this feature. For the display of various information about your eBike on the home screen, the following device-related data, for example, is processed: eBike manufacturer, eBike model, battery status, eBike settings (e.g., support modes, language, time, time zone), statistics (e.g., total mileage, charging cycles) and activity data (e.g. total trip time, completed and upcoming service intervals).

2.3.3.2 Route planning, navigation and activity tracking

You can use our location-based services for calculating and displaying routes and for route guidance in the online offer and on the on-board computer. The trip duration of the route, if available, is calculated based on the riding behaviour of the preceding eBike rides.

In addition, every activity with your eBike is recorded and visualised in the app (activity tracking). We also record the frequency of use of Bosch eBikes on road and bicycle path networks and visualise the most frequently used path sections for you in maps in our navigation and activity tracking functions. The visualisation of popular path sections helps you find your way when riding. Furthermore, our online offer calculates the remaining range during navigation and displays it to you, i.e. you get an overview of how far you can get with the current engine support.

Besides planning in our app, you can additionally upload GPX (GPS Exchange Format) routes to the Flow app and use them afterwards.

The following data is processed when you use the services ("Service-related data"):

• Position data (e.g. GPS data)
• Start and destination address, search history
• Routes planned and/or completed
• Activities (e.g. cadence, speed, total trip time)

As part of the activity tracking, you have the option to allow the activity recording to run in the background. To do this, you must set the location access in the background to "always allow".

You can change the location sharing in the background at any time in the settings.

Regarding the tracking of mobile devices (GSM tracking), we refer to the privacy policy of your mobile provider as well as the app store operators for devices with the Android and iOS operating systems. Please note that most mobile devices allow you to enable or disable the use of location services in the device's settings menu. If you use our online offer, please note that if you disable the mobile device tracking feature, certain services may not be available due to the nature of our services.

As part of activity tracking, you can delete individual recordings in the app. Deletion has no effect on route planning and navigation.

2.3.3.3 Dealer search

You can find eBike dealers near you via the dealer search. In order to show you the nearest dealers, we process your location data (e.g. GPS data). Regarding the tracking of mobile devices (GSM tracking), we refer to the privacy policy of your mobile provider and the app store operators for devices with the Android and iOS operating systems. Please note that most mobile devices allow you to enable or disable the use of location services in the device's settings menu. If you use our online offer, please note that if you deactivate the mobile device localisation function, certain services may not be available due to the nature of our services.

2.3.3.4 Flow+ Service: Making life more difficult for thieves

The ConnectModule allows you to locate your smart system eBike after is has been stolen, for example. This requires the eBike Lock and Alarm function to be activated.

When eBike Lock is activated, motor support is deactivated. You can also use the Alarm function to display the location of your eBike.

The following service-related data is processed:

• Component information (e.g. serial numbers, bike ID, part numbers)
• GPS data of the eBike (via the ConnectModule)

This data is required for the purpose of deactivating the motor and locating your eBike.

2.3.3.5 Help Center

To help you quickly find answers to all your questions about your eBike with the smart system, the Help Centre adapts the content displayed to the eBike and its components currently connected to the app. For this purpose, in addition to your name, the following information of the hardware and software component of your eBike ("device-related data") is processed, among others: model of eBikes, name of eBike, bike ID, bike model ID, material number of the Bosch eBike components, eBike settings (e.g. name, language, time, time zone) and device type (platform, operating system).

2.3.3.6 Digital service book

We process your device-related data (e.g. bike ID, service type, service date, mileage) to provide you with a digital service history of your eBike with information about changes, updates and services relating to your bike and to enable eBike dealers to manage the entries in your digital service book. The legal basis for the processing of this data is the Contract. The legal basis for access by the bicycle retailer to the digital service book is your consent.

2.3.3.7 Individual riding modes

You can modify the motor characteristics of your eBike's drive unit and store these along with the associated properties of the drive unit via our online service and retrieve the relevant data at any time. Additional information on the respective drive unit (settings for the motor) is compiled and visualised here for you, enabling you to activate the motor characteristics you have used in the past, as well as at present, with the specific optimised motor characteristics.

2.3.3.8 Activating an already registered eBike for a new user account

To make full use of our services, your user account must be linked to an eBike. Each eBike can be assigned to just one user account at a time.

If your eBike is already assigned to another user account (e.g. if you have purchased your eBike privately because the previous owner has forgotten to remove the eBike from his user account after selling it), you will receive an error message when you try to link the eBike to your user account. The current link between your eBike and another user account must first be reset so that you can link the eBike with your own user account. For this purpose, you must contact the user currently linked to your eBike in order to have the eBike removed from the currently linked user account. If you find you are unable to contact the user currently linked to the eBike, you can initiate further steps via an eBike dealer.

2.3.4 Product improvement and development

We use user, diagnostic and usage data resulting from the use of Bosch eBike Systems products and services as well as our online offer to continuously improve our online offer, to develop new products and services and for market research. This includes, for example, an analysis of user groups performance statistics as well as device and software-related usage information, i.e. how you use our online offer, which features you access and to what extent, when you delete your account or how you use our newsletter. The data is used in anonymised form for evaluations for statistical purposes. The legal basis for this processing is a legitimate interest. The legitimate interest of Bosch eBike Systems is to optimise its own products and services, to develop new products and services and thus to maintain or increase your satisfaction. Health data will only be anonymised and processed for product improvement and development purposes with your prior consent.

2.3.5 Reviews

You have the possibility to submit reviews and provide feedback if necessary. This process is voluntary. If you are dissatisfied, we will take the liberty of forwarding your feedback to our customer service department and, if necessary, contacting you to resolve your concerns. If you would like us to actively invite you to submit a review by email, you must explicitly confirm this service in the registration process. The request to submit a review is intended to ensure the quality of our online offer and the transparency of the services on our platform for other users. The collection and processing of this data is based on your consent in the case of a request by e-mail and on legitimate interest in all other cases. The legitimate interest of Bosch eBike Systems derives from an interest in maintaining or promoting your satisfaction and optimising our own products.

2.3.6 Competitions/customer satisfaction surveys/feed

When competitions and/or customer satisfaction surveys are conducted, your participation is always voluntary. Details on whether and, if applicable, which personal data is collected, stored and processed for which purposes in individual cases can be found in the respective descriptions of the competitions/surveys. The collection and processing of this data is based on the Contract.

In addition, the app continuously displays individual and useful information about the eBike and the digital services, known as the "feed". For example, a feed may contain instructions on how to use the online offer and explore the ecosystem. The creation of individual feeds and their provision is based on the legal basis of the Contract.

2.3.7 Customised newsletter/Customised in-app advertising

You can subscribe to a customised newsletter as part of our online offer. Customised newsletters contain information tailored to you about offers and services of our online offer and information about the eBike (e.g. news, updates and product or service information from Bosch eBike Systems, eBike manufacturers, eBike dealers or other partners), practical help and usage tips for our online offer as well as marketing and advertising news. In order to collect the individual information and use it for the content of the newsletter, we evaluate user and diagnostic data as well as data resulting from the use of the products and services of Bosch eBike Systems and our online offer. 

If you wish to unsubscribe from the newsletter and stop the evaluation, you can terminate your subscription at any time by revoking your consent. The revocation can be made via the link provided in the newsletter or in the administrative settings of the respective online offer. Alternatively, you can contact us using the details in the Contact section. The legal basis for the processing of this data is your consent.

In addition, we offer you customised information about the eBike and digital services (e.g. news, updates and product or service information from Bosch eBike Systems, eBike manufacturers, eBike dealers or other Bosch eBike Systems partners) in our online offer, based on your user behaviour and demographic characteristics (e.g. eBike brand, eBike type, average rider performance), which we call in-app advertising. You benefit from this as a user, because you receive information that matches your interests.

The legal basis for the processing of the data mentioned above is your consent.

2.3.8 eBike software updates (updates over-the-air)

To ensure that your eBike is kept up to date and continuously enhanced with new features, our online offer regularly checks in the background whether software updates are available for your Bosch eBike components. You also have the option of manually searching for software updates in the online offer. To request software updates, we process the current hardware and software versions of your Bosch eBike components (e.g. motor, battery), serial numbers and brand ID. This processing is carried out based on the Contract.

We will inform you in our online offer as soon as a new update is available for your eBike and you decide if and when you want to download and install the software update. If you wish to download and install all future software updates without your any action on your part, you can consent to automated processing in the settings of our online offer. The legal basis for the processing of this data is your consent.

2.3.9 Contacting customer service

If you contact our customer service, e.g. for questions, complaints, suggestions or to verify your identity for eBikes that are already registered, the following personal data will be processed to handle your request:

• user-related data (e.g. name, telephone, e-mail, Bosch ID, identity document)
• Time of the phone call/date of sending the email
• Requests
• Attachments (e.g. photos, documents)
• Device-related data (e.g. eBike components, serial number, software version, device information, app version). 

If you contact us using the contact form in our website, log files with device-related data can be attached to your request so that customer service can process your request as efficiently as possible.

Should you contact us outside of a specific contractual relationship or registration, the legal basis for data processing is our legitimate interest in providing you with the best possible service. In the case of a contractual relationship or registration, the legal basis is the requirement to fulfil the contract.

If you contact us by phone, we may ask you during the call if we may record the following conversation for service optimisation purposes. The recording is voluntary. We will only record the conversation if you give your consent to do so. The legal basis is your consent.

2.3.10 Handling of a service case at the bicycle retailer or service partner/connecting an eBike to a DiagnosticTool

If you have a concern regarding your eBike, simply contact your bicycle retailer or service partner. In order to process your request, it is first necessary to identify the technical error. For this purpose, the bicycle retailer connects your eBike to a DiagnosticTool. When your eBike is connected to the DiagnosticTool, the following information about your eBike is sent to Bosch eBike Systems for processing ("device-related data"): Information about the manufacturer, the production date and the model of the eBike, bike ID, information about the eBike components (article number, serial number, hardware and software versions, configuration data, statistical data), as well as activity data of the eBike (e.g. total trip time, completed and upcoming service intervals)". The device-related data may be processed for the following purposes: Processing your request, handling a service case, configuring the eBike, performing updates, Tamper detection and reset, enabling the eBike components, setting the system time and for product improvement.

The legal basis for the processing is the Contract or the legitimate interest. The legitimate interest of Bosch eBike Systems derives from an interest in processing your request, processing service cases, maintaining or promoting your satisfaction and optimising our own products.

2.4. Children

This online offer is not intended for children under the age of 16.

3.1 Transfer of personal data

In our online offer, we provide you with various features from external providers (for detailed information, see 3.4) in order to offer you a user-friendly and intuitive navigation with regard to the use of our services as well as other additional functions. In this context, your personal data will only be transferred to other responsible parties (our "Partners") if this is necessary for the provision of the functionalities selected by you and for the processing of your enquiry when you contact our customer service and/or your consent has been granted. You can revoke your consent for functionalities at any time directly in the online offer. Please also note the privacy policy of the respective providers.

We also use external service providers of IT and marketing services, call centres and programming to provide you with our services. Other companies in the Bosch Group may also be service providers. We have carefully selected these service providers and monitor them regularly, in particular the careful handling and security of the data stored with them. All service providers are obliged to maintain confidentiality and to comply with the statutory data protection provisions.

In addition, your data may be transferred to public authorities if we are obliged to do so by law or by an enforceable official or court order. If the transfer of data takes place on the basis of a legitimate interest, you will be expressly informed of this in this privacy policy description.

3.2 Transfer to partners outside the EEA/Switzerland

If your personal data is transferred to partners who are based outside the EEA/Switzerland in so-called third countries, you will be informed of this in each case. We ensure that prior to the transfer either an adequate level of data protection exists with the partner (e.g. based on an adequacy decision of the EU Commission for the respective country or the agreement of so-called EU standard contractual clauses of the European Union [with adaptations to the Swiss Data Protection Act] with the partner) or your consent to the transfer has been obtained. Please also note the corresponding privacy policies of the partners. You have the right to receive an overview of the recipients in third countries and a copy of the specifically agreed provisions to ensure an adequate level of data protection. For this, please use the information in the contact area.

3.3 Sharing with other providers via Cloud API

Bosch eBike Systems puts you in control of your data. With your express consent, we may share your device-related data (such as eBike manufacturer, total ride time, eBike statistics) and/or service-related data (such as activities, cadence, speed) with other providers ("Third Parties"). This requires that you first log in on the Bosch eBike Systems user interface (Flow app/website) with your central SingleKey ID and consent to the corresponding transfer of data. Once you have granted us such consent, we will allow the relevant third party access to your personal data generated by us on your behalf. You can cancel third party access to your data at any time. To do this, you need to revoke the corresponding permission for data transfer in the Flow app under: "Settings">"Connected Services">"3rd Party Integration".

Responsibility for the data processing associated with the transfer lies with you or the third party. The data processing carried out by the Third Party is subject to the said Third Party's terms of use and privacy policy. Bosch eBike Systems has no influence over these. For more information on data processing, please refer to the Third Party's terms of use and privacy policy.

3.4 External services

3.4.1 Apple Health and Apple Watch

You can transfer your activity and fitness data from our online offer to the Apple Health application from Apple Inc. 1 Infinite Loop, Cupertino, CA 95014, USA. In the process, Apple Health receives the following data, among others: Start and end time of a completed activity, distance, duration, speed and calories. The data is made available to you in Apple Health. In addition, you have the option of displaying your heart rate during an activity using the "Apple Watch". The various devices must be connected to one another for data transmission.

You can terminate this connection between the accounts at any time. It is possible that Apple Health may process this information at locations outside the EU or the EEA/Switzerland (e.g. in the US). The legal basis for the processing of data to provide the service is the Contract. The legal basis for the transfer of data to Apple Health is your consent. For more information about Apple Health's processing of your personal data and your rights as a data subject and privacy settings options, please refer to Apple Health's privacy policy at https://www.apple.com/de/legal/privacy/de-ww/.

3.4.2 Mapbox

We use the map material of Mapbox Inc, 740 15th St NW, 5th Floor Washington, D.C. 20005, USA ("Mapbox") to be able to offer you the navigation and route calculation function with additional functionalities, such as topographic range measurement or use in offline mode. Mapbox is responsible under data protection law for the processing of your personal data. It is possible that Mapbox may process this information at locations outside the EU or the EEA/Switzerland (e.g. in the US). Further information about Mapbox's services can be found at: www.mapbox.com. Mapbox's privacy policy can be found at https://www.mapbox.com/legal/privacy/.

3.4.3 Strava

Our website gives you the option of exporting certain activity data, such as times, distances travelled, calories burned, as well as heart rate and position data, elevation, speeds or cadence, to the Strava external portal so you can share this information there. For this purpose, we use the social plugin from Strava Inc, 500 3rd Street, 110, San Francisco, CA 94107, USA. It is possible that Strava may process this information at locations outside the EU or the EEA/Switzerland (e.g. in the US). The legal basis for the processing of data to provide the service is the Contract. The legal basis for the transfer of data to Strava is your consent. For information about the processing of your personal data and your rights as a data subject, please refer to Strava's privacy policy at https://www.strava.com/legal/privacy.

3.4.4 Komoot

We offer Komoot's Profile Connect function, which is operated by komoot GmbH, Friedrich-Wilhelm-Boelcke-Straße 2, 14473 Potsdam, Germany. When you activate the Komoot "Profile Connect function" in the authorisation dialogue, the routes you plan on Komoot are synchronised with your Bosch profile, and your Bosch activities are synchronised with your Komoot account. This involves an exchange of data between us and Komoot, whereby we receive the route information planned on Komoot and make it available to you via the "My Routes" function, and Komoot receives the recorded activity data (including trip times, distances, speeds, and position and elevation data) from us – if available. You can end this connection between the accounts at any time. It is possible that Komoot may process this information at locations outside the EU or the EEA/Switzerland (e.g. in the US). The legal basis for the processing of data to provide the service is the Contract. The legal basis for the transfer of data to Komoot is your consent. For more information about how Komoot processes your personal data and your rights as a data subject, as well as settings options to protect your privacy, please refer to Komoot's privacy policy at https://www.komoot.de/privacy.

3.4.5 Explore – Outdooractive

As a registered user, you can search for, view and save tour suggestions for selected regions on our website using the "Explore" function. This service is provided externally by our service partner Outdooractive GmbH & Co. KG with registered offices at Missener Straße 18, 87509 Immenstadt, Germany. When you use the Outdooractive tour search, the following data may be transferred from your device to Outdooractive: the name of the app, date and time of the server request, amount of data transferred, terminal device type/version, the user's operating system, the user's IP address and confirmation of successful retrieval. It is possible that Outdooractive may process this information at locations outside the EU or the EEA/Switzerland (e.g. in the US). The legal basis for the processing of data to provide the service is the Contract. The legal basis for the transfer of data to Outdooractive is your consent Further information can be found in the Outdooractive privacy policy at https://www.outdooractive.com/de/datenschutz.html.

3.4.6 Trek's "Next Service Integration"

We offer Trek's "Next Service Integration" function, which is operated by Trek Bicycle Corporation, 801 West Madison Street, Waterloo, WI 53594, United States. As a registered user, you can use this function to check upcoming workshop service intervals on our website. When you enable this feature in the authorisation dialogue, the technical bike information you have entered on Trek, as well as your Bosch activities, will be synchronised with your Trek account.

This involves an exchange of data between us and Trek, but we do not have access to the technical bike information (such as bike model, bike model description) and activity data stored by Trek. This information is provided through the Next Service Integration function if Trek has made this recorded activity data available to us. The following data is processed when you use the services ("Service-related data"):

• Route characteristics (e.g. ascents and descents, total distance)
• Activities (e.g. cadence, speed, total ride time)

It is possible that Trek may process this information at locations outside the EU or the EEA/Switzerland (e.g. in the US). The legal basis for the processing of data to provide the service is the Contract. The legal basis for the transfer of data to Trek is your consent. For more information about Trek's processing of your personal data and your rights as a data subject and privacy settings, please see Trek's privacy policy at www.trekbikes.com/de/de_DE/company/legal_policies/privacy_policy_terms_of_use/.

3.4.7 YouTube

In our portal, you can also play videos from the video platform YouTube, for which Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("YouTube") is responsible under data protection law. YouTube is a platform that enables the playback of audio and video files. When you want to play a video, the embedded YouTube player connects to YouTube so that the video or audio file can be transferred and played. In the process, browser data is transferred to YouTube as the responsible party. For more information on the scope and purpose of the data collected, on YouTube’s further processing and use of the data, on your rights and the data protection options you can select, please see YouTube’s data protection notice at policies.google.com/privacy.

Currently only applies to Austria:

3.4.8 Alteos "Complete Protection" Insurance

You have the option via the Flow app to take out insurance cover for your eBike, which is provided by Alteos GmbH, Tauentzienstr. 7 b/c 10789 Berlin ("Alteos"). If you are interested in this type of insurance cover from Alteos and access the Alteos website, we will forward the technical information to Alteos as to whether a Bosch ConnectModule (BCM) is installed in your eBike and whether you have activated the eBike Alarm function. The forwarding of this information is necessary in order to be able to make an optimal preselection when accessing the Alteos pages (this can then be easily changed).

It is possible that Alteos may process this information at locations outside the EU or the EEA/Switzerland (e.g. in the US). The legal basis for the transfer of data to Strava is the Contract. For more information about Alteos' processing of your personal data and your rights as a data subject, please see Alteos' privacy policy at https://alteos.com/de/datenschutz.

We need statistical information about the use of our online offer in order to make it more user-friendly, to measure reach and to conduct market research. For this purpose, we use the app analysis tool described in this section. The tool provider only processes data as a processor in accordance with our guidelines and not for its own purposes.

Below you will find information on the individual tool providers.

Google Firebase

In our online offer, we use Google Firebase, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland ("Firebase") to develop and enhance mobile applications. In doing so, Google processes data on our behalf. We use several features from Firebase in our app.

(a) Firebase Analytics

We use Firebase Analytics to continuously improve our app and develop new products and services. It analyses user interaction, i.e. how you use the app, which functions of the app you access, how often you open the app or when the app is uninstalled. This information helps us to further develop our platform and app and to adapt them to the needs of our users. The data is only processed in pseudonymised form and used for evaluations for statistical purposes and transmitted to Google. On our behalf, Google evaluates this usage analysis (e.g. in comparison to other apps) and provides results and further services based on this. The advertising ID of your device is used for evaluation by Google Inc. You have the option of restricting access to the device ID of your mobile device in the device settings. The legal basis for this processing is the legitimate interest. The legitimate interest of Bosch eBike Systems is to optimise its own products and thus to maintain or promote your satisfaction.

(b) Crashlytics

In addition, we use the Firebase function "Crashlytics" to stabilise and improve our apps. In the process, data is collected about the end device you use and the use of our apps (device ID and the time stamp, when the respective app was started and when a malfunction occurred), which enables us to diagnose and rectify malfunctions. When using Firebase Crashlytics, your data is processed by us in pseudonymised form – without a user ID. Google assures in its Firebase privacy policy that this data is not merged with other data and thus no conclusions can be drawn about your person. The legal basis for this processing is the legitimate interest. The legitimate interest of Bosch eBike Systems is to optimise its own products and services, to develop new products and services and thus to maintain or increase your satisfaction.

(c) Firebase Cloud Messaging

In addition, we use the "Firebase Cloud Messaging" service to send you technically-related push notifications or in-app messages to your device. In the process, your device is assigned a pseudonymised device token ID, a unique connection number generated from the device ID, which we use to address the push messages or in-app messages to you. Google acts here as a service provider on our behalf. The legal basis for this processing is the Contract.

As a result of the settings we make, personal data (device ID) is processed and stored to the extent possible in the member states of the European Union or in other countries that are party to the Agreement on the European Economic Area and Switzerland. Google assures that personal data are processed within the EU or the EEA and Switzerland.

(d) Firebase Performance Monitoring

We use the Firebase Performance Monitoring service to detect app performance issues and fix them. For this purpose, information on the operation of important functions within the Flow app as well as its network behaviour is collected in order to be able to improve the quality and reliability of the Flow app and the infrastructure used. Here, the following information, for example, is processed: Device type (e.g. iOS, Android), operating system, mobile services provider, radio/network information (e.g. WiFi, LTE), country, language, signal strength, battery level and charging status, app version and network URLs. When monitoring HTTP network requests, URLs without URL parameters are used to create aggregated and anonymous URL patterns that are then stored and displayed. The legal basis for the processing is the legitimate interest. The legitimate interest of Bosch eBike Systems is to optimise its own products and services, to develop new products and services and thus to maintain or increase your satisfaction.

e) Firebase Remote Config

With the help of Firebase Remote Config, changes can be made to app settings configurations on apps already installed in end devices without having to completely re-download and re-install them from the app store for each change. The legal basis for the processing is legitimate interest. The legitimate interest of Bosch eBike Systems is to optimize its own products and services, to develop new products and services and thus to maintain or promote your satisfaction.

Cookies and tracking mechanisms may be used in the context of our online offer. Cookies are small text files that can be stored on your device when you visit our online offer. Tracking is possible using various technologies. In particular, we process information using pixel technology and/or log file analysis.

5.1 Categories

We distinguish between cookies that are absolutely necessary for the technical functions of the online offer, and such cookies and tracking mechanisms that are not absolutely necessary for the technical function of the online offer. In principle, the use of the online offer is also possible without cookies that do not serve technical purposes.

5.1.1 Technically essential cookies

By technically essential cookies we mean cookies without which the technical provision of the online offer cannot be guaranteed. These include, for example, cookies that store data to ensure smooth playback of video or audio material. Such cookies are deleted when you leave the website.

5.1.2 Cookies and tracking mechanisms that are not technically necessary

We only use cookies and tracking mechanisms if you have given us your prior consent in each case. The cookie that saves the current status of your privacy settings (selection cookie) is an exception. This cookie is set on the basis of legitimate interest.

For these cookies and tracking mechanisms, we distinguish between two subcategories:

• Comfort Cookies

These cookies facilitate the operation and thus enable you to surf our online offer more comfortably; e.g. your language settings may be included in these cookies. Comfort cookies are not currently used on the website.

• Marketing cookies

Through the use of marketing cookies, we and our partners are able to show you offers based on your interests, which result from an analysis of your user behaviour.

• Analysis mechanisms

We use analysis mechanisms to compile anonymous statistics on the use of our services, such as the number of page views. With the help of such evaluations, we can improve our online offer or develop new products and services. We use the following tools:

Name: Google Tag Manager

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Function: Management of website tags via an interface, integration of program code on our websites.

Name: Google Analytics

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Function: Analysis of user behaviour (page views, number of visitors and visits, downloads), creation of pseudonymous user profiles based on cross-device information of logged-in Google users (cross-device tracking), enrichment of pseudonymous user data with target group-specific information provided by Google, retargeting, UX testing, conversion tracking and retargeting in conjunction with Google Ads.

The legal basis for this processing of this data your consent.

5.2 Management of cookies and tracking mechanisms

You can manage your cookie and tracking mechanism settings in the browser and/or in our privacy settings. Note: The settings you choose only relate to the browser you use.

• Disabling all cookies
  If you want to disable all cookies, please disable cookies in your browser settings. Please note that this may affect the functionality of the website.
• Managing your settings regarding cookies and tracking mechanisms that are not technically necessary
  When you visit our websites, you will be asked in a cookie layer whether you agree to our use of comfort cookies, marketing cookies or tracking mechanisms. In our privacy settings, you can revoke the consent with future effect or give us your consent at a later date.

We always store your data for as long as is necessary for the provision of our online offer and the associated services or as long as we have a legally recognised legitimate interest in continued storage. In all other cases, we delete your personal data, with the exception of data that we must retain in order to fulfil legal obligations, e.g. we are required by tax and commercial law to retain documents such as contracts and invoices for a certain period of time. Otherwise, you can delete all your data directly from the app at any time.

We use all necessary technical and organisational measures to ensure an adequate level of protection and to protect your data under our management, in particular against the risks of accidental or unlawful destruction, manipulation, loss, alteration or unauthorised disclosure or access. Our security measures are constantly being improved in line with technological developments.

To assert your rights, please use the information in the section "Responsible parties and contact" (see point 1). In doing so, please ensure that we can clearly identify you. Please address your claims listed below to https://request.privacy-bosch.com/entity/RB/.

8.1 Right to information and disclosure

You have the right to receive information from us about the processing of your data. Taking into account the transparency requirements, we have designed our web offer and our app in such a way that you can access the most important information about yourself in a well-structured and detailed manner directly via our platform and app electronically and in an independent manner at any time. Of course, you also have the option of contacting us directly using the contact addresses above, especially if you would like information about the storage of personal data in the context of customer service or about a specific processing operation.

8.2 Right to correction and deletion

You can demand from us the correction of incorrect data and - provided the legal requirements are met – the completion or deletion of your data. In addition, you have the option to correct, amend or delete your data directly on our platform or in the app. If data is not allowed to be deleted due to legal requirements, processing is restricted until deletion (see below).

8.3 Restriction of processing

You can demand from us – provided the legal requirements are fulfilled – that the processing of your data is restricted.

8.4 Data transferability

You also have the right to receive data that you have made available to us in a structured, standard and machine-readable format or – if technically feasible – to demand that the data be transferred to a third party. For this purpose, we have provided you with appropriate export functionalities and various formats on our platform.

8.5 Right of withdrawal and right of objection

8.5.1 Individual right of objection

If we process data on the basis of a legitimate interest (Art. 6 Para. 1 letter f, GDPR), as set out in this privacy policy, you have the right to object to this processing at any time. To do so, please contact the addresses described above (see section 1). We will then stop processing your data unless other legal grounds legitimise this processing or there is an overriding legitimate interest of Robert Bosch GmbH in processing your data (e.g. if the further processing serves the assertion, exercise or defence of legal claims). The legality of the processing of your data up to the time of the objection remains unaffected by this. It may also be the case that certain services can no longer be made available to you.

8.5.2 Right to revoke consent

If you have given us consent to process your data, you can revoke this consent at any time with effect for the future. This also applies to the revocation of declarations of consent made to us before the GDPR came into force, i.e. before 25 May 2018. To do so, please contact the addresses described above (point 1). In our portal, you can deactivate granted consents for certain processing operations yourself. The legality of the processing of your data until revocation remains unaffected by this. Please note that in the event of revocation of consent, certain services cannot be provided for technical reasons, as they necessarily require the processing of personal data. This does not apply to objections relating to the receipt of electronic advertising. We automatically delete the data when the purpose of the processing has ceased to exist or you have revoked your consent and there is no other legal basis for the data processing. If the latter applies, we delete the data after the other legal basis no longer applies.

8.6 Right of appeal to the supervisory authority

You have the right to file a complaint with a data protection supervisory authority. For this purpose, you can contact the data protection supervisory authority responsible for your place of residence or your federal state or the data protection supervisory authority responsible for us. The data protection supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg.

We reserve the right to change our security and data protection measures as far as it becomes necessary due to technical developments. In these cases, we will also adapt our privacy policy accordingly. Please therefore note the current version of our privacy policy.

Date: 04.07.2023