Legal · GDPR Art. 13/14 · TDDDG § 25

Privacy Policy.(Datenschutzerklärung)

Last reviewed · 2026-05-17

This privacy notice explains how Stuttgart Taxi FB GmbH processes personal data when you visit this website, request a fixed price, place a booking, or contact us by phone or email. We have written it in plain language; the underlying German legal provisions are cited where they govern an obligation or a right, so a Baden-Württemberg supervisory authority can map every paragraph to its statutory source.

§ 1Data controller

The controller (Verantwortlicher) under GDPR Art. 4 (7) is:

Stuttgart Taxi FB GmbH
Austraße 107
70376 Stuttgart
Germany

Phone: +49 152 2929 8484
Email: info@stuttgart-airport-transfer.com
Managing Director: Furkan Bakir

Data Protection Officer (DPO). A statutory DPO under Art. 37 GDPR / § 38 BDSG is not currently required: we employ fewer than 20 persons engaged in automated processing of personal data on a permanent basis, and our core activities do not consist of large-scale, regular monitoring or large-scale processing of special categories of data. For all data-protection enquiries, please contact us at info@stuttgart-airport-transfer.com with the subject line “Datenschutzanfrage / GDPR request”.

§ 2Categories of personal data we process

We deliberately collect the minimum data necessary to fulfil a fixed-price transport contract and to comply with German tax-retention obligations. The categories below correspond to the columns of the bookings table held with our database processor (see § 4) and to the access logs of our hosting provider.

  • Identity data: first and last name.
  • Contact data: email address, mobile phone number.
  • Booking data: pickup and drop-off addresses (street + city + post code, plus latitude/longitude for routing), pickup date and time (Europe/Berlin), vehicle class (Standard / Van / Premium), passenger count, luggage count, optional flight number, optional driver note.
  • B2B / invoicing data (optional): company name, German or EU VAT-ID, postal billing address.
  • Payment data: we do not see or store full card numbers. Stripe (see § 4) processes the card directly; we receive only a non-sensitive snapshot — card brand (e.g. “Visa”) and the last four digits — plus the Stripe PaymentIntent ID, authorised amount, and capture status. This snapshot is PCI-DSS classified as non-sensitive and may be stored under industry standards.
  • Booking-status data: internal state machine values (pending, confirmed, in progress, completed, cancelled, no-show), timestamps, internal dispatcher notes (only visible to the dispatcher, never returned to the customer).
  • Cancellation token: a 24-byte cryptographically random token (192 bits of entropy) used to authorise guest cancellation without a customer account. The token is bound to a single booking and useless without the corresponding booking ID.
  • Hotel attribution (B2B partner): if you arrived via a partner hotel link with a query parameter such as ?hotel=marriott, the partner identifier is stored against the booking for commission accounting. No further hotel-side data is processed.
  • Server access logs: IP address (in truncated/hashed form for analytics; full for security monitoring), user-agent, timestamp, requested URL, HTTP status, response size, referer. Retained 7 days for fraud / abuse detection.

We do not process special categories of data (health, religion, ethnicity, biometrics) under Art. 9 GDPR. We do not profile customers or use automated decision-making with legal effect under Art. 22 GDPR.

§ 3Purposes of processing and legal bases

Booking creation and contract performance

Live price calculation, address geocoding, route distance, vehicle assignment, dispatcher confirmation, ride execution.

Basis · Art. 6 (1) (b) GDPR — performance of a contract to which you are a party, or pre-contractual measures at your request.

Card payment processing, refunds

Charge of the fixed price on your card via Stripe at booking confirmation; full or partial refund in cancellation cases per the cancellation policy.

Basis · Art. 6 (1) (b) GDPR (contract). Stripe acts as a separate controller for fraud-prevention purposes per its own privacy policy.

Booking confirmation and reminder emails

One confirmation email after successful card hold, a reminder 24 h before pickup, and a final pickup reminder ≈1 h before pickup. All transactional, no marketing content.

Basis · Art. 6 (1) (b) GDPR — necessary to perform the transport contract reliably (you would not know your driver is on the way without these notices).

Cancellation processing

On cancellation via the email link or by phone, we update the booking status, release / partially capture the Stripe hold according to the cancellation tier, and send a written confirmation.

Basis · Art. 6 (1) (b) GDPR (your right to cancel) and Art. 6 (1) (c) GDPR (statutory accounting record-keeping for the partial capture).

Invoicing and tax records

Generation of a VAT-compliant invoice, retention of booking + invoice + payment trail.

Basis · Art. 6 (1) (c) GDPR in conjunction with §§ 147 AO (German Fiscal Code) and 257 HGB (German Commercial Code) — 10-year statutory retention.

Dispatcher panel (internal admin)

Display of the booking list, manual confirmation, status transitions, refund/cancel initiation. Access protected by HTTP basic auth; only authorised dispatchers.

Basis · Art. 6 (1) (b) GDPR (contract) and Art. 6 (1) (f) GDPR (legitimate interest in operating the service efficiently).

Server logs (security and abuse detection)

Detection of brute-force, scraping, fraud signals; debugging of production incidents.

Basis · Art. 6 (1) (f) GDPR — legitimate interest in operating a secure service. Balanced against your interests by short retention (7 days) and minimal log content.

Aggregate website analytics (consent-based)

If you opt in via the cookie banner, Microsoft Clarity records pseudonymous session events (clicks, scroll depth) and Google Analytics 4 collects aggregate traffic and conversion data. Without consent, neither tool is loaded — see § 4 (subprocessors) and § 7 (cookies) for details.

Basis · Art. 6 (1) (a) GDPR — explicit consent. Withdrawable any time via the “Cookie settings” link in the footer.

Phone / email enquiries (without booking)

If you contact us before or instead of booking, we process your message to answer it.

Basis · Art. 6 (1) (b) GDPR (pre-contractual) or Art. 6 (1) (f) GDPR (legitimate interest in customer service). Retained for as long as needed to answer the enquiry, plus the statutory limitation period.

§ 4Subprocessors and third-party services

We engage the following processors (Auftragsverarbeiter) under written agreements per Art. 28 GDPR. Each processor is bound to act only on our instructions, to apply technical and organisational security measures proportionate to the risk, and to delete or return the data on termination.

Supabase Inc.

Frankfurt am Main, Germany (eu-central-1)

Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992

Purpose: Hosting of the booking database (PostgreSQL), file storage, authentication

Categories of data: Master data · Booking data · Status · Internal notes · Card snapshot (brand + last4)

Transfer mechanism: Data is processed exclusively in EU data centres. The parent company is in Singapore; remote support access is governed by EU-aligned contractual clauses.

SOC 2 Type IIHIPAA-readyISO 27001

DPA / privacy policy →

Stripe Payments Europe Ltd

Ireland (primary), with replication within EU/EEA

Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Dublin 2, Ireland

Purpose: Card payment processing (direct charge at booking time), refunds, partial refunds, fraud prevention

Categories of data: Card data (encrypted, never stored by us) · Email · Billing address · Card brand + last 4 digits · IP address (fraud signals)

Transfer mechanism: Stripe is an Irish entity. Stripe Inc. (USA) acts as a sub-processor for global infrastructure; the transfer is covered by the EU-US Data Privacy Framework (DPF, certified) and supplementary Standard Contractual Clauses (SCCs) per Art. 46 (2) (c) GDPR.

PCI-DSS Level 1SOC 1SOC 2 Type IIISO 27001EU-US DPF

DPA / privacy policy →

Komoot GmbH (Photon API)

Germany

Komoot GmbH, Karl-Liebknecht-Straße 1, 10178 Berlin, Germany

Purpose: Address autocomplete (geocoding via OpenStreetMap data)

Categories of data: Address strings entered by the user · Approximate browser locale

OpenStreetMap-based, no user identifiersNo cookies

DPA / privacy policy →

Project OSRM (Open Source Routing Machine, public instance)

EU

Project OSRM, c/o FOSSGIS e.V., Rennbahnstraße 14, 60528 Frankfurt am Main, Germany

Purpose: Driving distance and duration calculation between two coordinate pairs

Categories of data: Pickup latitude/longitude · Drop-off latitude/longitude

Open-source software, no user-account binding

DPA / privacy policy →

OpenStreetMap Foundation (Nominatim)

EU/EEA — operated under UK GDPR (post-Brexit adequacy decision)

OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge CB4 0WS, United Kingdom

Purpose: Reverse geocoding (coordinates → city name) for fixed-route price matching

Categories of data: Pickup latitude/longitude · Drop-off latitude/longitude

Transfer mechanism: UK is recognised as adequate under Art. 45 GDPR (Adequacy Decision of 28 June 2021).

OpenStreetMap data, no user-account binding

DPA / privacy policy →

Bakir Group SMTP / Mail infrastructure + Audit-Trail

Germany (Netcup data centre, Nuremberg/Karlsruhe)

Stuttgart Taxi FB GmbH, Austraße 107, 70376 Stuttgart, Germany

Purpose: Outbound email delivery (booking confirmation, reminder 24 h + 1 h, cancellation confirmation, invoice, review request, admin notification) and audit-trail persistence in the mail_log table for legal retention. Retention horizons: invoices 10 years (§ 147 AO Aufbewahrungsfrist Steuerrecht), other transactional emails 3 years (BGB §§ 195/199 Regelverjährung), non-converted inquiries 6 months. Right-to-erasure (DSGVO Art. 17) is fulfilled by in-place anonymization (recipient_email/name/body_preview redacted, audit row retained for legal proof of erasure) rather than hard delete.

Categories of data: Recipient email · Customer name · Booking reference · Booking details (subject + first 500 chars of plain-text body) · Cancellation token · SMTP message-id (delivery proof) · Send-status + error-message (where applicable)

Operated in-house by the controller — no external sub-processor for SMTP relay or mail_log persistenceAccess to mail_log restricted to dispatcher panel (HTTP Basic Auth + RLS service-role boundary)

Netcup GmbH

Germany (ANEXIA Internetdienstleistungs GmbH, Nuremberg)

Netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany

Purpose: vServer hosting, reverse-proxy operation, container runtime

Categories of data: Server access logs (IP, user-agent, timestamp, requested path)

ISO 27001GDPR-compliant data centre

DPA / privacy policy →

Microsoft Ireland Operations Ltd (Clarity)

EU primary, with onward transfer to Microsoft Corporation (USA) for analytics processing

Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Purpose: Session recording, click heatmaps, conversion-funnel analysis (consent-based, project ID wlid8hv2ne)

Categories of data: Anonymised page interactions · Mouse movements · Click events · IP address (truncated) · User-agent · Cookies _clck (1 y) and _clsk (1 d)

Transfer mechanism: Transfer to Microsoft Corporation (USA) covered by the EU-US Data Privacy Framework (DPF, Microsoft is certified) and supplementary Standard Contractual Clauses under Art. 46 (2) (c) GDPR. Loaded only after explicit user consent (Art. 6 (1) (a) GDPR).

EU-US DPFISO 27001GDPR DPAMicrosoft Privacy Statement

DPA / privacy policy →

Google Ireland Ltd (Google Analytics 4)

EU primary, with onward transfer to Google LLC (USA) for analytics processing

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Aggregated website analytics — sessions, traffic sources, conversion paths (consent-based, property ID G-DBK7C2XFC0)

Categories of data: Anonymised IP address (anonymizeIp = true) · Cookies _ga (2 y) and _ga_* (2 y) · User-agent · Page-view events · Conversion events

Transfer mechanism: Transfer to Google LLC (USA) covered by the EU-US Data Privacy Framework (DPF, Google is certified) and supplementary Standard Contractual Clauses under Art. 46 (2) (c) GDPR. Operated under Google Consent Mode v2 — until consent is granted, only cookieless “ping” events without user identifiers are sent. After consent: full GA4 with anonymized IP, ad-personalisation disabled, ad-signals disabled.

EU-US DPFISO 27001ISO 27017ISO 27018SOC 1/2/3

DPA / privacy policy →

§ 5International data transfers

All primary data processing happens in EU/EEA data centres. Structural third-country transfers are limited to three processors and only occur on the legal bases set out below:

  • Stripe (payment): card processed by Stripe Payments Europe Ltd in Ireland; Stripe Inc. (USA) acts as sub-processor for fraud-prevention signals and support escalations. Necessary for contract performance under Art. 6 (1) (b) GDPR.
  • Microsoft Clarity (analytics): anonymised interaction data transferred to Microsoft Corporation (USA) for session-recording and heatmap analysis. Loaded only after your explicit consent under Art. 6 (1) (a) GDPR — see § 7 below for the consent mechanism.
  • Google Analytics 4 (analytics): anonymised page-view data transferred to Google LLC (USA) for aggregate website analytics. Loaded only after your explicit consent under Art. 6 (1) (a) GDPR. Until consent is granted, GA4 runs in Google's “Consent Mode v2 default-deny” mode, sending only cookieless ping events with no user identifier.

All three transfers are protected by a layered safeguard:

  • Stripe Inc., Microsoft Corporation, and Google LLC are all certified under the EU-US Data Privacy Framework (DPF); the European Commission has adopted an adequacy decision for the DPF on 10 July 2023 (Implementing Decision (EU) 2023/1795).
  • Each processor additionally maintains Standard Contractual Clauses (SCCs) under Art. 46 (2) (c) GDPR as a backup, in case the DPF were ever invalidated.
  • A Data Processing Agreement is in place under Art. 28 GDPR. The full text is available at stripe.com/legal/dpa.

No other processor transfers data outside the EU/EEA except Nominatim (OpenStreetMap Foundation), whose UK operations are covered by the European Commission's renewed adequacy decision for the United Kingdom of 17 December 2024 (Implementing Decision (EU) 2024/3300, replacing the original adequacy decision of 28 June 2021 which would otherwise have expired on 27 June 2025).

§ 6Retention periods

  • Booking records, invoices, payment trail: 10 years from the end of the calendar year in which the booking was concluded (mandatory under § 147 (1) AO and § 257 HGB), then automatic erasure.
  • Cancellation token: deleted on booking completion or after 90 days post-pickup, whichever is later.
  • Server access logs: 7 days, then rotated and overwritten.
  • Stripe data: Stripe retains payment records for the period required by EU and US financial-services law (typically 7 years). See Stripe's privacy policy for details.
  • Email correspondence: retained as long as the related business matter is open, plus 6 years (correspondence relevant to commerce per § 257 (1) No. 4 HGB).
  • Microsoft Clarity / Google Analytics data: only collected if you have consented — Clarity sessions retained for 90 days, GA4 user-level data retained for 14 months (default). Aggregate reports kept indefinitely.

§ 7Cookies, device storage, and consent management

Note on naming: § 25 of the German cookie-consent statute was relocated from the former TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) to the renamed TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) on 14 May 2024 when the Digital Services Act package took effect. The substantive provision is unchanged.

Cookies and similar device-storage technologies fall into two categories on this site:

  1. Strictly necessary — required for the site to function (booking form, payment iframe, language preference). These run without consent under § 25 (2) Nr. 2 TDDDG.
  2. Optional analytics — Microsoft Clarity and Google Analytics 4. These set cookies and transfer data to the USA. They load only after you actively accept them in our cookie banner (Art. 6 (1) (a) GDPR + § 25 (1) TDDDG). Until you accept, neither tool reads or writes anything beyond Google's “Consent Mode v2 default-deny” cookieless pings.

Withdrawing consent. You can change your decision any time via the “Cookie settings” link in the page footer. Withdrawal applies prospectively (Art. 7 (3) GDPR) — it does not invalidate processing that took place during the consented period, but it stops further processing and clears the analytics cookies on your device on next page-load.

Cookie / storagePurposeLifetimeCategory
sat-consent-v1Stores your cookie-banner decision (analytics: granted/denied) plus the ISO timestamp of the decision.localStorage (until manually cleared)Strictly necessary
__stripe_mid, __stripe_sidSet by the Stripe iframe to support fraud detection and 3-D Secure on the payment page only.__stripe_mid: 1 y · __stripe_sid: 30 minStrictly necessary
NEXT_LOCALEStores selected interface language for repeat visits.1 yearStrictly necessary
sessionStorage (booking flow)In-browser state of the multi-step booking form, so reloading does not lose your input.Cleared on tab closeStrictly necessary
_clck, _clskSet by Microsoft Clarity to associate session-recording events to a pseudonymous visitor ID — only after consent._clck: 1 y · _clsk: 1 dAnalytics — opt-in
_ga, _ga_DBK7C2XFC0Set by Google Analytics 4 to distinguish users and sessions for aggregate analytics — only after consent. IP is anonymised, ad signals and ad personalisation are disabled.2 yearsAnalytics — opt-in

If you decline analytics in the banner, neither Microsoft Clarity nor Google Analytics are loaded; the site falls back to no behavioural analytics at all. You can use the booking flow end-to-end without any analytics consent.

§ 8Automated decision-making and profiling

We do not use automated decision-making with legal effect on you under Art. 22 GDPR. Stripe runs algorithmic fraud detection on the card-authorisation step; if a transaction is declined for fraud signals, we do not capture it but we also do not use that signal for any decision beyond that single attempt. You may always reach a human dispatcher on +49 152 2929 8484 to complete the booking by alternative means.

§ 9Information society services for children

Our service is intended for adult travellers. We do not knowingly market to or accept bookings from individuals under the age of 16 acting independently of a parent or guardian, in line with Art. 8 (1) GDPR. If you become aware that a minor has provided us with personal data without verifiable parental consent, please contact us so we can erase the record.

§ 10Your rights as a data subject

You have the following rights, exercisable at no cost:

  • Right of access — Art. 15 GDPR.
  • Right to rectification — Art. 16 GDPR.
  • Right to erasure (“right to be forgotten”) — Art. 17 GDPR, subject to statutory retention obligations under §§ 147 AO, 257 HGB.
  • Right to restriction of processing — Art. 18 GDPR.
  • Right to data portability — Art. 20 GDPR (machine-readable export of the data you provided to us).
  • Right to object — Art. 21 GDPR (in particular to processing based on legitimate interests).
  • Right to withdraw consent — Art. 7 (3) GDPR, where processing is based on consent (in our setup, this only applies if you separately consent to a marketing channel; default booking flows are based on contract performance and do not require consent).
  • Right to lodge a complaint with a supervisory authority — Art. 77 GDPR.

Send any rights request to info@stuttgart-airport-transfer.com with subject “Datenschutzanfrage / GDPR request”. We respond within one month under Art. 12 (3) GDPR; for complex or numerous requests we may extend by a further two months and will notify you within the original month.

§ 11Right to lodge a complaint

You may lodge a complaint with any data-protection supervisory authority in the EU/EEA, in particular at your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). The competent authority for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Königstraße 10a
70173 Stuttgart, Germany

Phone: +49 711 615541-0
Email: poststelle@lfdi.bwl.de
Web: www.baden-wuerttemberg.datenschutz.de

§ 12Data security (technical and organisational measures)

We apply technical and organisational measures (TOMs) commensurate with the risk per Art. 32 GDPR:

  • TLS 1.3 encryption for all data transmissions (HTTPS only, HSTS-enabled).
  • Encrypted database with AES-256 at-rest encryption (Supabase managed Postgres).
  • Cancellation tokens generated with gen_random_bytes(24) (192 bits of entropy) — cryptographically infeasible to guess.
  • Secrets (Supabase service role, Stripe keys, SMTP credentials) stored as environment variables on the server only, never in the source repository.
  • Servers located in Frankfurt am Main (eu-central-1) and Karlsruhe / Nuremberg (Netcup), in ISO-27001-certified facilities.
  • HTTP basic auth on the dispatcher panel (/dispo) before any business logic runs; no public path leaks.
  • Continuous dependency monitoring and security patching of the Node.js, Next.js, and Postgres versions in use.
  • Principle of least privilege for backend access — only authorised employees hold dispatcher credentials.

§ 13Changes to this privacy policy

We may amend this notice to reflect changes to our processing or to legal requirements. The current version is always available at https://stuttgart-airport-transfer.com/datenschutz. The “Last reviewed” date at the top of the page reflects the latest substantive amendment. Where amendments affect data subjects materially, we will notify customers with active bookings by email.

Stuttgart Taxi FB GmbH · Austraße 107 · 70376 Stuttgart · VAT DE450522631