Data Privacy Information T-Mobile HotSpot GmbH (“Telekom”) for

Austrian FlyNet App

Data privacy information

T-Mobile HotSpot GmbH attaches great importance to protecting your personal data. We always inform

you what personal data we collect, how your data is used, and how you can influence the process.

The app offers the option to create a user account. If you decide to register a user account, you can save a

preferred payment method and/or voucher codes in the app. If you opt to use the app in guest mode, these

functions will not be available. The remaining functions of the app, such as purchasing Wi-Fi packages

before or during the flight, do not depend on the access method.

1. What data is recorded, how is it used, and how long is it stored?

a) When registering:

To register for the app, you will have to enter your name and e-mail address. This data is required

for Contract performance (Art. 6 (1) b GDPR) and is stored on our servers until you delete your user

account. The app can be used with a user account, the necessary information then will have to be

put in manually for every single purchase.

Authentication Partners

If you use a third-identity party provider to create a user account, the third-party identity provider

will grant us access to your personal data. The data will only be transferred once you have given

your explicit consent. You can always revoke your consent in the user account settings of your

third-party identity provider account.

If you are using the credentials of your third-party identity provider account (Facebook, Google,

Apple, Miles&More) to register in our app or to login, we will import personal data, to create the

user account.

We request the following information to create a user account:

▪ Name

▪ E-Mail-Address

b) When using the app:

When you use the app, our servers will temporarily record your device’s IP address and other

technical details, such as the requested content (Art. 6 (1) b GDPR).

Apart from inputting data using the keyboard you can also use this app to dictate text. Voice input

(Google) or dictation function (Apple) is a functionality which our app’s operating system provides.

During use, a third party processes the speech (e.g., Apple or Google) as processor and delivers

the result to our app, entering it into the input field. Contact your specific operating system vendor

for details on the functionality, and how you can switch on/off usage.

When using the app, the following data will be processed and stored

Page 2 of 8

2. Personal Data collected when using the app in guest mode

Personal Data (Wi-Fi Package Purchase)

Personal data based on your input

- Name

- E-Mail (mandatory for invoice and credentials)

We process this data to provide you access to the Internet via HotSpot and to be able to answer

any inquiries you might have, e.g. regarding outages or cancellation requests.

Collection of Connection Data (Wi-Fi Package Purchase)

a) For invoicing and reimbursement in case of usage, we collect the following data:

- Username (numerical)

- Name

- Timestamp (start and stop)

- Product type

b) During usage:

- Used data volume

- Used time

- Payment method

- Transaction ID

- HotSpot Location (airline, aircraft)

Storage Period per Flight

The detailed connection data is anonymized after 7 days and then deleted.

Payment Data (Wi-Fi Package Purchase)

Your payment data is recorded directly at the billing service providers and not stored by T-Mobile

HotSpot GmbH.

The billing data is stored exclusively for the purpose of maintaining an error-free infrastructure and

for invoice-relevant questions and is deleted after 90 days

We work with the companies listed below to process payments for HotSpot Pass based on the

payment processes offered:

Payment with Credit Card:

-Payment Service Provider – Computop Wirtschaftsinformatik GmbH, Schwarzenbergstr. 4, 96050

Bamberg,Germany

- Credit Card Acquirer – Elavon Financial Services Limited, Lyoner Str. 36, 60528 Frankfurt am

Main, Germany

- American Express Payment Services Limited, Theodor- Heuss-Allee 112, 60486 Frankfurt am

Main, Germany

Page 3 of 8

Payment per Apple Pay über Computop:

Apple Pay, 1 Infinite Loop, Cupertino, California, 95014, United States

Computop Wirtschaftsinformatik GmbH, Schwarzenbergstr. 4, D- 96050 Bamberg

Payment by Miles and More:

- Miles & More GmbH, MAC Main Airport Center, Unterschweinstiege 8, 60549 Frankfurt/Main,

Germany

Payment by AliPay (Wirecard)

– Einsteinring 35, 85609 Aschheim, Germany AliPay (Europa) S. A. - 9, rue du Laboratoire, L-1911

Luxembourg, Grand Duchy of Luxembourg

Storage period for master data and payment data (voucher customers)

When a bill is paid by voucher, all master and payment data is deleted after 90 days.

3. Personal Data collected when using the app as a registered user

Personal Data (Wi-Fi Package Purchase)

Personal data based on your input

- Name

- E-Mail (mandatory for invoice and credentials)

We process this data to provide you access to the Internet via HotSpot and to be able to answer

any inquiries you might have, e.g. regarding outages or cancellation requests.

Collection of Connection Data (Wi-Fi Package Purchase)

a) For invoicing and reimbursement in case of usage, we collect the following data:

- Username (numerical)

- Name

- Timestamp (start and stop)

- Product type

b) During usage:

- Used data volume

- Used time

- Payment method

- Transaction ID

- HotSpot Standort (Flugzeug, Airline)

Storage Period per Flight

The detailed connection data is anonymized after 7 days and then deleted.

Payment Data (Wi-Fi Package Purchase)

You can store one preferred payment method (credit card, PayPal, MaM) in your user account. By

storing a payment method, you enable the 1-click purchase feature in the app. The stored payment

method is not stored in the app, it is pseudonymized and stored on the servers of Deutsche Telekom

Ag.

Page 4 of 8

The billing data is stored exclusively for the purpose of maintaining an error-free infrastructure and for

invoice-relevant questions and is deleted after 90 days.

We work with the companies listed below to process payments for HotSpot Pass based on the

payment processes offered:

Payment with Credit Card:

-Payment Service Provider – Computop Wirtschaftsinformatik GmbH, Schwarzenbergstr. 4, 96050

Bamberg,Germany

- Credit Card Acquirer – Elavon Financial Services Limited, Lyoner Str. 36, 60528 Frankfurt am

Main, Germany

- American Express Payment Services Limited, Theodor- Heuss-Allee 112, 60486 Frankfurt am

Main, Germany

Payment per Apple Pay über Computop:

Apple Pay, 1 Infinite Loop, Cupertino, California, 95014, United States

Computop Wirtschaftsinformatik GmbH, Schwarzenbergstr. 4, D- 96050 Bamberg

Payment by Miles and More:

- Miles & More GmbH, MAC Main Airport Center, Unterschweinstiege 8, 60549 Frankfurt/Main,

Germany

Payment by AliPay (Wirecard)

– Einsteinring 35, 85609 Aschheim, Germany AliPay (Europa) S. A. - 9, rue du Laboratoire, L-1911

Luxembourg, Grand Duchy of Luxembourg

Storage period for master data and payment data (voucher customers)

Your personal data is stored until you delete your user account. Your account will be automatically

deleted after five years of inactivity. Your payment data will be deleted after 90 days.

If you decide to store a preferred payment method in your user account, this payment method will

be pseudonymized and stored on the servers of Deutsche Telekom AG and linked to your user

account.

The stored payment method will be deleted, when you delete the payment method in your user

account or when you delete your user account. If you do not delete your payment method, it will be

stored as long as it is valid.

Deletion of your user account

If you wish to delete your user account, but no longer have access to it, you can send an e-mail to

inflight@telekom.de and request the account deletion. Please provide your name and e-mail

address the account was registered with. The user account will be deleted promptly.

Page 5 of 8

4. Authorizations

For the app to work on your device, it needs access to various functions and data on the device. You

need to grant certain authorizations to do so (Art. 6 (1) a GDPR).

The authorizations are programmed differently by the various manufacturers. Individual authorizations

may e.g. be combined in authorization categories, and you can only grant consent to the authorization

category as a whole.

Please remember that if you withhold consent for one or a number of authorizations, you may not have

access to the full range of functions offered by our app.

If you have granted authorizations, we will only use them to the extent described below:

Location data

The app requires information on your current location for the purpose of:

The app requires access to the Internet via Wi-Fi or mobile data network for the purpose of:

▪ Connection Management. The network name, which is mandatory for the connection

management, is only provided by the operating system to the app once the location data has been

shared

▪ There is no permanent storage

Internet communication

The app requires access to the Internet via Wi-Fi or mobile data network for the purpose of:

▪ Loading of the current products

▪ Executing payment procedures

▪ Storing discount codes (if logged in)

▪ Redemption of discount codes

▪ Querying user account information (if logged in=

▪ There is no permanent storage

5. Does the app send push notifications?

Push notifications are messages that the app sends to your device and that are displayed with top

priority. This app uses push notifications by default, provided you have given your consent during the

app installation or the first time you use the app (Art. 6 (1) a GDPR)

You can deactivate receipt of push notifications at any time in your device settings.

The data is processed by the contract data processors 360Dialog GmbH or MoEngage

6. Will my usage habits be evaluated, e.g. for advertising purposes or tracking?

Explanations and definitions:

We want you to enjoy using our app and take advantage of our products and services. We have an

economic interest in ensuring this is the case. We analyze your usage habits on the basis of

anonymized or pseudonymized data so you can find the products that interest you and so we can make

our app user-friendly. We or companies commissioned by us to process data create usage profiles to

the extent permitted by law. This information cannot be traced back to you directly. The following

information is intended to provide you with general information on the various purposes of processing

data. You can change your data privacy settings to consent to the use of the tool, or reject their use

accordingly. Tools that are strictly necessary to provide the app’s cannot be rejected (see explanation

at 1. above).

Page 6 of 8

Tag management (strictly necessary)

Tag management is used to manage tracking tools in apps. A tag is set for each page to do this. Based

on the tag, the system can determine which tracking tools should be used for this page. Tag

management can be used to specifically control tracking so that the tools are only used where

appropriate.

Market research / Reach measurement (opt-in)

Reach measurement aims to statistically determine an app’s use intensity and the number of users

as well as obtaining comparable figures for all the connected services. Individual users are not

identified at any time. Your identity is always protected.

Improvement of the app’s technical quality (opt-in)

To measure the quality of the app programming or to register crashes and causes, the program

sequence and usage habits are analyzed. Individual users are not identified.

a) Analysis tools

These tools help us to improve our understanding of how our apps are used.

Analysis tools allow for the collection of usage and identification data by the original provider or

third party providers and their compilation into pseudonymous usage profiles. We use analysis

tools, e.g., to determine the number of individual users of an app, to collect technical data if the

app has crashed, and to analyze the app’s usage patterns and user interactions on the basis of

anonymous and pseudonymous information. This information cannot be traced back to a person.

The legal basis for these tools is Art. 6 (1) a GDPR.

Company

Purpose

Storage period

Country of processing

Adjust

Customized

design

28 days

Germany

MoEngage

Customized

design

In-app messages

24 months

India

b) Tools with optional usage

These tools are activated when you use additional functions, e.g. the chat. The possible functions

are explained in section 1 of this data privacy information. The legal basis for these tools is Art. 6

(1) a GDPR respectively for third Countries Art. 49 (1) a GDPR.

Company

Purpose

Storage period

Country of processing

MoEngage

Push messages

24 months

India

c) Services by other companies (independent third party providers)

Some pages of our app pages feature services of third party providers, who bear the sole

responsibility for their services. This involves the use of tools to capture data while the app is used

and transmission of the data to the respective third party provider. Some of the data may be

transmitted for Deutsche Telekom’s own purposes. The legal basis for these tools is Art. 6 (1) a

GDPR. The scope, purpose and legal basis on which further processing is carried out for the third

Page 7 of 8

party’s own purposes can be found in the third party’s data privacy information. Information about

these independent third party providers can be found in the following.

Austrian Airlines

On one page we are linking out to the Austrian FlyNet® portal. Austrian FlyNet® is hosted by

Austrian Airlines AG, Office Park 2, Postfach 100, A-1300 Vienna Airport, Austrian. When

visiting the portal, a cookie with be placed in your browser. For more information, please visit

https://www.austrian.com/gb/en/data-protection. During the flight, you can find the necessary

information under www.austrian-flynet.com

7. Where can I find the information that is important to me?

This data privacy information provides an overview of the items which apply to Deutsche Telekom

processing your data in this app.

Further information, including information on data privacy information for specific products, is

available at https://www.telekom.com/en/corporate-responsibility/data-protection-data-

security/data-protection and https://www.telekom.com/en/deutsche-telekom/privacy-policy-1744.

8. Who is responsible for data processing? Who should I contact if I have any queries regarding data

privacy at Deutsche Telekom?

T-Mobile HotSpot GmbH acts as the data controller. If you have any queries, please contact our

Customer Services department or the Group Data Privacy Officer, Dr. Claus D. Ulmer, Friedrich-Ebert-

Allee 140, 53113 Bonn, Germany datenschutz@telekom.de.

9. What rights do I have?

You have the right

a) To request information on the categories of personal data concerned, the purposes of the

processing, any recipients of the data, and the envisaged storage period (Art. 15 GDPR);

b) To request that incorrect or incomplete data be rectified or supplemented (Article 16 GDPR);

c) To withdraw consent at any time with effect for the future (Art. 7 (3) GDPR);

d) To object to the processing of data on the grounds of legitimate interests, for reasons relating to

your particular situation (Article 21 (1) GDPR);

e) To request the erasure of data in certain cases under Art. 17 GDPR – especially if the data is no

longer necessary in relation to the purposes for which it was collected or is unlawfully processed,

or you withdraw your consent according to (c) above or object according to (d) above;

f) To demand, under certain circumstances, the restriction of data where erasure is not possible or

the erasure obligation is disputed (Art. 18 GDPR);

g) To data portability, i.e., you can receive the data that you provided to us in a commonly used and

machine-readable format such as CSV, and can, where necessary, transfer the data to others

(Art. 20 GDPR);

h) To file a complaint with the competent supervisory authority regarding data processing (for

telecommunications contracts: the German Federal Commissioner for Data Protection and

Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit);

for any other matters: State Commissioner for Data Protection and Freedom of Information, North

Page 8 of 8

Rhine-Westphalia (Landesbeauftragter für den Datenschutz und die Informationsfreiheit

Nordrhein-Westfalen).

10. Who does Deutsche Telekom pass my data on to?

To processors, i.e., companies we engage to process data within the legally defined scope,

Article 28 GDPR (service providers, agents). In this case, Deutsche Telekom also remains responsible

for protecting your data. We engage companies particularly in the following areas: IT, sales, marketing,

finance, consulting, customer services, HR, logistics, and printing.

To cooperation partners who, on their own responsibility, provide services for you or in conjunction

with your Deutsche Telekom contract. This is the case if you order services of these partners from us,

if you consent to the involvement of the partner, or if we involve the partner on the basis of legal

permission.

Owing to legal obligations: In certain cases, we are legally obliged to transfer certain data to a state

authority that requests it. Example: Upon presentation of a court order, we are obliged under Section

101 of the German Copyright Act (UrhG) to provide the owners of copyrights/ancillary copyrights with

information about customers who have allegedly offered copyrighted works via Internet file sharing

services.

11. Where is my data processed?

Your data will be processed in Germany and other European countries.

If, in exceptional cases, your data is also processed in countries outside the European Union (i.e., in

third countries), this is done only if you have explicitly given your consent, if it is required so we can

provide you with services, or if it is prescribed by law (Article 49 GDPR). Furthermore, your data is

processed in third party countries only if certain measures ensure a suitable level of data protection

(e.g., EU Commission's adequacy decision or suitable guarantees, Art. 44 et seq. GDPR).

This data privacy information was last updated 2/8/2023