These are the data protection notices of our “Compensaid” service, which is operated by Lufthansa Innovation Hub GmbH. Please contact us if you have any kind of question about the topic of data protection.
You can contact us at any time on all topics concerning data protection and exercising your rights:
Lufthansa Innovation Hub GmbH
Rosenthaler Str. 32
You can contact our data protection officer on all issues related to the fulfilment of individual rights:
Deutsche Lufthansa AG
Group Privacy Officer - FRA CJ/D
Airportring - LAC
60546 Frankfurt, Germany
Use of the services offered on our website:
We offer various services on our website. For this purpose, we must collect and process certain customer data.
Data processing when viewing pages / web hosting / logs:
In order to provide our service to you, we process addressing information (such as the IP address and the selected resource). For optimal presentation on your device, we also process some device information (such as the browser, resolution and operating system version). For registered users, we process the stored customer data in order to provide our service. Our service is operated on the servers of our hosting provider. We create server logs to detect and fix possible bugs. These logs are kept for 30 days and then deleted. The legal basis for this processing is Article 6 (1) (f) of the GDPR.
Processing your flight data for the Miles & More mindfulflyer function:
You can now link your Miles & More user account with your Compensaid account. This makes it possible to always credit your compensated flights to the Miles & More mindfulflyer function and to display your compensated flights in your Miles & More user profile.
In order to do this, your flight data and Miles & More service card number are transmitted from Compensaid to Miles & More. Your consent is the legal basis for this processing (Art. 6 para. 1 S. 1 lit. a DSGVO). You can revoke this at any time in the user account. The data will be processed to improve Miles & More services and stored for three years after the date of issue. You can find more information on the data protection information of Miles & More and the processing of Miles & More M-Connect data by Compensaid at here.
Website usage analysis via Google
When users visit this website we collect statistical web data, such as the number of page views, as well as pseudonymous unique IDs, using the Google Analytics and Google Tag Manager tools. We collect this data in order to analyze the actions of anonymized users and thus optimize our service. We process the data on the basis of our legitimate interest in optimizing the website. If you do not want your data to be processed, please click here. By doing so, we transmit to Google that you have objected to the data processing. When the data is processed, it is transmitted to the operator of the tool in Ireland. The pseudonymous user data is deleted after 14 months.
Website usage analysis via Hotjar
Single sign-on via Google and Facebook
When logging in via a single-sign-on provider, Google or Facebook, certain data that is relevant to logging in and using of the service is queried and processed. This data includes your contact information – in our case your e-mail address and name. We process this data so that our service is convenient for you to use, and to uphold our legitimate interest in user verification. In this context, we obtain the data from your single sign-on provider. We store this data until your account is deleted.
Font display via Google Fonts
To make the font available on your device, Google Fonts needs your IP address. We use this service based on our legitimate interest in providing a better website experience. As part of this, the IP address is transmitted to the tool operator, so that the service can be provided correctly on your device. Google temporarily stores this information and uses it solely for the correct representation of the fonts on your device.
Payment via Stripe or PayPal
Your payment data is processed when you make a payment. We accept the payment so that we can offer you the service you have paid for. This data is processed on the basis of Article 6 (1) (b) of the GDPR in order to fulfill the contract concluded during the purchase. As part of this, the data is sent to the respective payment provider, either Stripe or PayPal. The law stipulates that payment data must be stored for 10 years. We also anonymously process the choice of project, the amount of CO2 offset and the transaction totals.
E-mail communication via SendGrid:
We process your email address in order to offer you the user account function as well as to provide confirmations of your purchases. This takes place on the basis of the usage agreement and purchase contract. In addition, we process your email address to provide you with news about the service based on our legitimate interest. You can stop the sending of marketing e-mails at any time in your user account. The emails are sent by our service provider SendGrid. If you contact us by email regarding a purchase or your account, we will process your email address and the content of the email, either on the basis of the contract concluded with you, or based on our legitimate interest in communicating with you. We keep email communication for 12 months, unless statutory retention periods apply. In this case, we keep the e-mail communication for 6 or 10 years in accordance with the law. If you have an account, we will store your email address until your account is deleted.
Map visualization via Mapbox:
In order to display maps in your user account, we integrate the service provided by Mapbox. To transmit the map to you and display it on your screen, the service provider receives your IP address. This is done on the basis of our legitimate interest in providing you with a pleasant user experience and visualizing your flights. The IP address is transmitted to the service provider on demand when you call up the map, and is not permanently stored.
Offsetting via the climate protection organization myclimate:
If you wish to receive a donation receipt, we need your correct personal and address data. We process the data in order to fulfill the contract as well as the statutory requirements of Article 6 (1) (b) and (c) of the GDPR. The scope of data that is transferred to myclimate results from the legal framework for issuing a donation receipt. We store your address data until your account is deleted.
Profile picture via Gravatar:
Gravatar is a service that allows you to manage your own profile picture across many different accounts. If you upload a profile picture, this is done via Gravatar, and your e-mail address and picture are shared with Gravatar. This is done at your request and is optional. We share the image and your encrypted e-mail address with Gravatar. This data is stored until the profile picture is deleted or updated, in order to display the correct picture.
Mandatory provision of data:
When you create a user account, we need all the information marked as login data, otherwise it is not possible to create the account. If you want to offset a flight, we need all the information marked as mandatory. Without this, the flight cannot be offset because all the requested information is required for executing the payment.
Rights of the data subject and right of appeal:
It is an important concern for Lufthansa Innovation Hub to ensure that our processing procedures are fair and transparent. They are entitled to the following rights:
- Right to information, Art. 15 DSGVO
- Right to rectification, Art. 16 DSGVO
- Right to cancellation ("right to be forgotten"), Art. 17 DSGVO
- Right to limitation of processing, Art. 18 DSGVO
- Right to data transferability, Art. 20 DSGVO
- Right of objection according to Art. 21 DSGVO
If you have given us permission to process your personal data, we hereby inform you that you can revoke this permission at any time. To exercise your rights, you can contact us by e-mail at [email protected]
In order to process your application and for identification purposes, we would like to point out that we process your personal data in accordance with Art. 6 Para. 1 lit. c DSGVO and delete it after a period of 3 years.
In addition, you have the right to complain to a supervisory authority. You can find out which supervisory authority is responsible for you on the website of the Federal Commissioner for Data Protection and Freedom of Information under the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html_Links/anschriften_links-node.html