PRIVACY POLICY – KLASS WAGEN GMBH (AUSTRIA)

Effective date: 10.12.2025

Klass Wagen GmbH (“Klass Wagen”, “we”, “our”, “us”) is committed to protecting your personal data and processing it in a transparent and lawful manner. This Privacy Policy explains what data we collect, why we collect it, and how we process it in accordance with Regulation (EU) 2016/679 (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz – DSG).

By using our website, booking a rental, or interacting with us, you agree to the practices described in this Privacy Policy.

INTRODUCTION

1. Purpose of this Privacy Policy

This Privacy Policy explains how Klass Wagen GmbH (“Klass Wagen”, “we”, “our”, “us”) collects, processes, stores, shares, and protects personal data in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR)
• The Austrian Data Protection Act (Datenschutzgesetz – DSG)
• The Austrian Telecommunications Act 2021 (Telekommunikationsgesetz – TKG 2021)
• Austrian accounting and commercial laws (BAO, UGB)
• Guidance by the Austrian Data Protection Authority (Datenschutzbehörde – DSB)

This document applies to customers, website users, contractual partners, employees, trainees, job applicants, and any person whose data we process in Austria.

2. Who We Are

Klass Wagen GmbH
Address: Schwadorf Industrie Strasse 1, 2432 Vienna, Austria
Company Register (Firmenbuch): 652569k
EUID: ATBRA.652569-000
Corporate Purpose: Rental of movable property (excluding weapons, medical devices, aircraft) and commercial activity except regulated professions.
Data Protection Email: [email protected]

3. Scope of this Privacy Policy

This policy covers data processed through:

• Our website
• Our reservation and vehicle rental systems
• Our mobile communication channels (email, WhatsApp, SMS, phone)
• Our office and on-site customer service
• Insurance and accident handling
• GPS & telematics systems
• Fraud prevention and risk scoring tools
• HR, payroll, and employee training processes
• Cookies and tracking technologies

CHAPTER 1 — DEFINITIONS

Key GDPR and Austrian legal terms:

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data.
• Controller: Entity determining purposes and means of processing — Klass Wagen GmbH.
• Processor: Service providers acting on our behalf.
• Data Subject: Any person whose data is processed.
• Profiling: Automated processing used to evaluate behaviour or risk.
• Supervisory Authority: Austrian Data Protection Authority (DSB).
• DSG: Austrian Data Protection Act.
• TKG 2021: Austrian Telecommunications Act governing cookies and tracking.

CHAPTER 2 — PRINCIPLES OF PROCESSING (GDPR Art. 5)

We follow:

1. Lawfulness, fairness, transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

CHAPTER 3 — CATEGORIES OF PERSONAL DATA PROCESSED

3.1 Customer and Driver Data

• Name, surname
• Date of birth
• Address, nationality
• Phone number, email
• Driver’s license details
• ID/passport details
• Rental history

3.2 Contract & Payment Data

• Contract numbers
• Bank cards (processed by external processors)
• Billing data
• Deposits, refunds

3.3 Vehicle Telematics & GPS Data

• Real-time GPS coordinates
• Start/stop positions
• Speed, direction, ignition status
• Incident-related data

3.4 Accident & Insurance Data

• Accident descriptions
• Police reports
• Photos, witness information

3.5 Fraud Prevention & Risk Scoring

• Previous rental behaviour
• Cross-border attempts
• Payment anomalies
• Internal reports

3.6 HR & Employee Data

• Recruitment documents
• Payroll data
• Contracts
• Training records
• Performance-related data

3.7 Communication Data

• Phone recordings (if applicable)
• WhatsApp business messages
• Email correspondence

3.8 Cookies & Tracking Data

• IP addresses
• Session identifiers
• Behavioural analytics
  Collected under TKG 2021 only with consent (except essential cookies).

CHAPTER 4 — PURPOSES & LEGAL BASES

4.1 Contract Performance (Art. 6(1)(b))

• Creating and managing reservations
• Vehicle rental operations
• Payment processing
• Providing customer support

4.2 Legal Obligations (Art. 6(1)(c))

Required by:

• BAO & UGB (accounting retention: 7 years)
• Insurance law
• Road Traffic Act when responding to authorities
• DSG for certain mandatory disclosures

4.3 Legitimate Interests (Art. 6(1)(f))

Including:

• Fraud prevention
• Risk scoring
• Vehicle safety & GPS tracking
• Preventing theft
• Ensuring compliance with rental terms
• IT and network security
• Customer service optimisation

4.4 Consent (Art. 6(1)(a))

Used for:

• Marketing communications
• Non-essential cookies
• Tracking technologies
• Optional surveys

4.5 HR Legal Basis

• Employment contract
• Austrian employment law obligations
• Legitimate interest
• Consent for optional training or photos

CHAPTER 5 — SOURCES OF DATA

• Directly from customers
• Third-party booking platforms
• Payment processors
• Insurance companies
• Police or authorities
• Internal systems
• Employee-provided HR documents

CHAPTER 6 — COOKIES & TRACKING (TKG 2021 COMPLIANT)

We use:

Essential Cookies

Required for site operation.

Analytics Cookies (consent required)

Google Analytics
Microsoft Clarity
Hotjar

Marketing Cookies (consent required)

Facebook Pixel
AddThis
Brevo Email Tracking

We never activate non-essential cookies without explicit opt-in consent.

CHAPTER 7 — AUTOMATED DECISIONS & RISK SCORING

We may automatedly evaluate:

• Probability of rental misuse
• Payment default risk
• Cross-border fraud patterns

No automated decision produces legal effects without human review.

CHAPTER 8 — VEHICLE TELEMATICS POLICY (REAL-TIME GPS)

We track vehicles in accordance with Austrian DPA guidelines:

Purposes

• Theft prevention
• Accident management
• Contract enforcement
• Operational safety
• Cross-border misuse prevention

Prohibited Uses

• Monitoring customer personal habits
• Employee behavioural monitoring unless explicitly lawful

Retention

• GPS logs: 7 days, unless associated with an incident (accident, police request).

CHAPTER 9 — DATA RETENTION

Retention rules under BAO/UGB + GDPR

• Tax & accounting: 7 years
• Contracts: 7 years
• Rental forms: 3 years
• Accident files: 10 years
• GPS: 7 days (normal), up to legal requirement for incidents
• HR files: duration of employment + 7 years
• CCTV (if used): max 72 hours
• Emails: 12 months

CHAPTER 10 — INTERNATIONAL TRANSFERS

We may transfer data outside the EU only with:

• Standard Contractual Clauses (SCCs)
• Additional safeguards (encryption, access control)
• Compliance with the Schrems II ruling

Processors include AWS, Microsoft, Meta, and others.

CHAPTER 11 — WHO WE SHARE DATA WITH

Processors (examples)

• Cloud hosting: AWS, Azure
• Email and marketing: Brevo
• Analytics: Google, Microsoft
• Payments: Shift4 / PayU / Stripe
• Internal IT companies
• Customer support tools

Other recipients

• Insurance partners
• Police and authorities
• Courts
• Other Klass Wagen group companies

CHAPTER 12 — SECURITY MEASURES (TOMs)

We implement:

• Encryption
• Access control
• MFA
• Firewalls
• Logging & monitoring
• Secure data centers
• Staff training
• Backup and recovery protocols

CHAPTER 13 — RIGHTS OF DATA SUBJECTS

You may request:

• Access
• Rectification
• Erasure
• Restriction
• Objection
• Data portability
• Withdrawal of consent

Supervisory Authority in Austria

Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Wien
www.dsb.gv.at

CHAPTER 14 — EMPLOYEE & HR DATA PROCESSING

We process HR data for:

• Employment contracts
• Payroll and tax obligations
• Timekeeping
• Internal training
• Compliance with Austrian labor law

Cross-border HR training is based on:

• Contract performance
• Legitimate interest
• Internal administrative purposes

CHAPTER 15 — MINORS’ DATA

We do not knowingly process data of persons under 18 unless required for a rental contract and documented guardian consent is received.

CHAPTER 16 — CONTACT DETAILS

Klass Wagen GmbH
Schwadorf Industrie Strasse 1
2432 Vienna, Austria
Email: [email protected]
Customer Support: [email protected]

CHAPTER 17 — CHANGES TO THIS POLICY

We may update this policy. The latest version is always available at:
www.klasswagen.com

ANNEX A — LIST OF PERSONAL DATA CATEGORIES

(Detailed categorization of all personal data processed by Klass Wagen GmbH)

1. Customer Identification Data

• Full name
• Date of birth
• Address (residential)
• Nationality
• ID/passport number, issuing authority, expiration date
• Driver’s license number, category, issuing state, validity
• Signature (digital or on paper)
• Customer ID in internal systems

2. Contact Data

• Phone number
• Email address
• Emergency contact (optional)

3. Contractual & Financial Data

• Reservation number
• Rental contract number and history
• Vehicle data associated with the contract
• Payment method, partial card data (tokenized)
• Deposits, refunds, invoices
• Billing address
• Payment status, overdue amounts

4. Vehicle Usage & Telematics Data

• GPS location (real-time)
• Ignition status, engine start/stop
• Speed, direction, acceleration
• Odometer data
• Fuel level, battery status
• Diagnostic codes where applicable
• Incident-related data (accidents, breakdowns)

5. Accident, Damage & Insurance Data

• Accident reports
• Photos, videos
• Witness statements
• Police report numbers
• Insurance claim numbers
• Correspondence with insurance companies

6. Fraud Prevention & Risk Scoring Data

• Rental behaviour patterns
• Cross-border attempts
• Payment irregularities
• Internal risk scoring values
• Flagged lists (internal only)

7. Communication Data

• Emails
• SMS and WhatsApp business messages
• Phone call metadata or recordings (if applicable)
• Chatbot interactions
• Customer support tickets

8. Website & Cookie Data

• IP address
• Device identifiers
• Browser type, session logs
• Analytics (Google Analytics, Clarity, Hotjar)
• Cookie preferences
• Marketing tracking identifiers (consent-based)

9. HR & Employee Data

• CV, application forms
• Work contract, performance reviews
• Payroll, tax identifiers
• Time and attendance logs
• Training records
• Security access logs

ANNEX B — RECORDS OF PROCESSING ACTIVITIES (RoPA)

(GDPR Art. 30 Compliant – Summary Format)

Below is the standard RoPA table content.

1. Customer Reservation & Rental Processing

• Purpose: Reservation management, rental contract creation, customer service
• Data Categories: Identification, contact, contract data, driver license
• Legal Basis: Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation
• Recipients: Insurance partners, authorities (if required), payment processors
• Retention: 7 years (BAO/UGB)
• Security: Encryption, access control, MFA, logging

2. Payment Processing

• Purpose: Payment, billing, deposits
• Data Categories: Tokenized card data, billing details
• Legal Basis: Art. 6(1)(b); Art. 6(1)(c) accounting
• Recipients: Shift4/PayU/Stripe, accounting systems
• Retention: 7 years
• Security: PCI-compliant processors, encryption

3. GPS & Telematics Tracking

• Purpose: Theft prevention, safety, accident management, contract enforcement
• Data Categories: Real-time GPS, speed, ignition, incident data
• Legal Basis: Legitimate interest (Art. 6(1)(f)); legal obligation where applicable
• Recipients: Police (on request), insurance companies
• Retention: 7 days; extended for incidents
• Security: Encrypted channels, restricted access

4. Marketing & Analytics

• Purpose: Website analytics, advertising, remarketing
• Data Categories: Cookie identifiers, IP, behaviour
• Legal Basis: Consent (Art. 6(1)(a))
• Recipients: Google, Meta, Microsoft
• Retention: As defined in cookie banner (typically 12–24 months)
• Security: Pseudonymization, limited retention

5. Fraud Prevention & Risk Scoring

• Purpose: Prevent financial or vehicle misuse
• Data Categories: Rental history, scoring indicators
• Legal Basis: Art. 6(1)(f) legitimate interest
• Recipients: Internal only; in rare cases authorities
• Retention: Up to 3 years
• Security: Restricted access, audit logs

6. Accident & Insurance Handling

• Purpose: Resolve damages, insurance claims
• Data Categories: Photos, police reports, witness info
• Legal Basis: Art. 6(1)(c) legal obligation; Art. 6(1)(f) legitimate interest
• Recipients: Insurance companies, authorities
• Retention: 10 years
• Security: Encrypted storage, role-based access

7. HR Processing

• Purpose: Employment management
• Data Categories: Contracts, payroll, evaluations
• Legal Basis: Employment law; Art. 6(1)(b); Art. 6(1)(c)
• Recipients: Tax authorities, payroll processors
• Retention: Employment + 7 years
• Security: Access control, secure storage

ANNEX C — DATA PROCESSORS USED BY KLASS WAGEN GMBH

(Full processor inventory with purposes)

1. Cloud Infrastructure & Hosting

• Amazon Web Services (AWS) — hosting, databases, backups
• Microsoft Azure — cloud storage, virtual machines

2. Communication & Marketing

• Brevo (Sendinblue) — email automation, marketing
• Meta / Facebook Business Tools — advertising
• Google Ads / Analytics — performance tracking
• Microsoft Clarity — session recording

3. Payment Processors

• Shift4
• Stripe
• PayU
  (PCI-DSS compliant, tokenized transactions)

4. Customer Support Tools

• Chatbot/CRM providers (e.g., Intercom, Zendesk — if applicable)
• WhatsApp Business Platform

5. IT & Security Providers

• Server monitoring companies
• Cybersecurity solutions (antivirus, SIEM)
• Backup and disaster recovery services

6. Insurance & Legal Partners

(Only when handling claims)

• Local Austrian insurance companies
• Legal advisors

7. Other Klass Wagen Group Companies

• For internal administrative purposes under joint controllership or data sharing agreements.

ANNEX D — TELEMATICS INFORMATION SHEET

(Required transparency notice for customers in Austria)

1. Purpose of GPS Tracking

Klass Wagen GmbH uses GPS and telematics data strictly for the following purposes:

• Theft prevention and vehicle recovery
• Accident assistance and insurance reporting
• Ensuring contractual compliance (e.g., cross-border restrictions)
• Operational safety and diagnostics

2. Legal Basis

• Art. 6(1)(f) GDPR – legitimate interest
• Insurance and road safety obligations
• Austrian DSB guidance on acceptable use of vehicle tracking

3. What Data Is Collected

• Real-time GPS location
• Start/stop positions
• Speed, direction
• Ignition on/off
• Error/diagnostic codes
• Accident-triggered data (e.g., sudden deceleration)

4. Data Retention

• Standard GPS logs: 7 days
• Accident / insurance-related data: up to legal requirement (max 10 years)

5. Who Has Access

• Authorized Klass Wagen staff
• Insurance companies (in case of incident)
• Police or authorities (only upon legal request)

6. Prohibited Uses

We do not use telematics data for:

• Monitoring customer personal lifestyle or behaviour
• Employee performance evaluation (unless legally justified)
• Marketing or profiling unrelated to safety or contract enforcement

7. Your Rights

You can request:

• Access to telematics data associated with your rental
• Rectification (where applicable)
• Deletion (when retention period expires)

ANNEX E — LEGAL BASIS MATRIX

(Purpose → Category → Legal Basis → Retention → Recipients → Safeguards)

Purpose	Data Categories	Legal Basis	Retention	Recipients	Safeguards
Rental contract creation	ID data, contact data, driving license	Art. 6(1)(b)	7 years	Insurance, authorities	Encryption, access control
Payments	Billing, card token	Art. 6(1)(b),(c)	7 years	Payment processors	PCI-DSS, MFA
GPS tracking	Telematics	Art. 6(1)(f)	7 days (longer for incidents)	Police, insurance	Encrypted transmission
Marketing	Cookies, analytics	Art. 6(1)(a)	12–24 months	Google, Meta	Consent management
Fraud prevention	Rental history, scoring	Art. 6(1)(f)	3 years	Internal	Access logs
Insurance accidents	Photos, reports	Art. 6(1)(c),(f)	10 years	Insurance, police	Restricted storage
HR management	Employment data	Art. 6(1)(b),(c)	Employment + 7 years	Tax authorities	Secure HR systems
Customer support	Communications	Art. 6(1)(f)	12 months	Internal	Logging, encryption