Privacy Policy
- Note to read the Privacy Policy
The privacy policy provides you with a comprehensive presentation on how we handle and process your personal data (including: collecting, storing, processing, sharing and protecting your data). We remind you that before you use our services, it is your obligation, in accordance with our Terms of Use, to read, understand and agree to our privacy policy in addition to our Terms of Use.
We value your privacy very much and strive to make the privacy policy as understandable as possible. However, we cannot rule out the possibility that you may not be able to understand the Privacy Policy in part. If so, please contact us before expressing your consent to our Privacy Policy and we will be happy to answer any questions you may have.
- Responsibility for Data Protection
Responsibility for data protection lies with Safety Tax Free GmbH (referred to in the following as “we”), based in Zeppelinstr. 33, 85748 Garching b. Munich in Germany, commercial register number HRB 225103 of the district court of Munich. We act with regard to data protection according to the General Data Protection Regulation of the EU. Supervisory authority is the Bavarian State Office for Data Protection:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 27
91522 Ansbach
Tel.: 0981 53 1228
E-Mail: peter.meier@lda.bayern.de
- Purpose of Data Processing
We offer a variety of services such as tourism advice, sales of goods, tax refund service(s) (also referred to as VAT refund service or VAT refund program) and marketing services. Tax refund service is a service that allows tourists from third countries to fully or partially receive the VAT paid on purchases in the EU as a rebate. When offering our services, it is likely that we will perform data processing to fulfil the contract with you or to fulfil our legal obligations. It may also happen that we carry out data processing in order to improve our services – in the case that your consent is given to us – otherwise data processing with this purpose will not be carried out.
- Basic Principles of Data Processing
We carry out data processing only when we:
4.1. have contracted with you and the data processing is partly or fully necessary for us to fulfil the obligations arising from the contract with you;
4.2. are required by law to perform data processing in whole or in part;
4.3. obtain consent from you that we recognize and which authorizes or obliges us to perform data processing in whole or in part.
- Special Terms for Privacy Policy of our Website
When you visit our website, your data will be recorded during the ongoing connection for communication between your internet browser and our web server:
- Date and time of request
- Name of requested file
- Page from which file was requested
- Access status (file transfer, file not found, etc)
- Web browser and operating system
- Full IP address of requesting computer
- Transferred amount of data
For technical and security reasons, we temporarily store data. An identification of one individual person is not possible using this data.
Collection of Additional Data
If you do not use the contact form on our website, there will be no further data collection. If you use the contact form on our website or contact us by e-mail, we will collect, process and use the personal information you provide in your request for the purpose of processing your request.
Web Tracking Method (Range Measurement)
When you visit our website, we do not use any analysis programs or other techniques for evaluating user behaviour on our website.
Active Components
The use of active components such as Java applets or Active X controls is not available for our website. JavaScript will be used to provide the search function and the possibility of encrypted contact.
Security of Data Transfer
We realize transport encryption with HTTPS with Perfect Forward Secrecy and the current encryption protocol TLS 1.2. The transmission of data you send us using the contact form on our website is also encrypted in terms of content and the decryption of this data can only be carried out by us.
- Data collected by Us
Data we collect from you is divided into the following categories:
6.1. Data that you submit to us.
In order to receive our services, for example the tax refund service, a Safety Tax Free Tourist Account (hereinafter referred to as STF Tourist Account) can be created and used, providing you with fast and transparent tax refund procedures. The same applies to creating a Safety Tax Free Travel Agent Account (in the following STF Travel Agent Account). STF Tourist Accounts and STF Travel Agent Accounts can be collectively named as a Safety Tax Free Customer Account (hereinafter referred to as STF Customer Account).
When creating an STF Customer Account, we ask you to provide personal information, including e-mail address, telephone number, full name, passport number, date of birth, and a photo of the first page of your passport – some of this data can be specified later, at latest before disbursement of your tax refund. Some of this data is not needed for creating an STF Travel Agent Account. If you use your WeChat (also known conventionally as “Weixin”) account to create an STF Customer Account, we will also collect your WeChat-ID (the identification number of your WeChat account).
For disbursement of your tax refund, we need some payment data in addition to your personal data, including:
- a UnionPay card account number, if you actively instruct us to receive your tax refund to the UnionPay card account number you have provided to us;
- a WeChat Pay account number, if you actively instruct us to receive your tax refund to the WeChat Pay account number you have provided to us;
- a bank account number (the number of a bank account of the Single Euro Payments Area, also known as SEPA) including the full name of the account holder, if you actively instruct us to receive your tax refund to the bank account you have provided to us.
6.2. Data that we collect when you use our services
When using our services, such as our mobile application, we collect the information of the model and identification number of your device and information of the operating system installed on the device.
- Device Information and Log Information
When you use our services via WeChat or our mobile application, we automatically collect the device information and log information, including information about your IP address, information about the hardware and software you use, device event data, unique device identification, crash data, your user behaviour (namely, how you use our services), access data and times, cookie data, and the web pages you accessed or interacted with. Such information is needed to secure the full functionality of our services.
- Local Storage
If you use our services via our mobile application, we will need information about your local storage, such as information about the remaining local storage to secure that the mobile application can be successfully installed or to notify you if local storage is insufficient.
- Location Information
When using our services, such as searching for retailers or navigating to retailers, we automatically collect your location information. If you disagree with this, you can turn off the feature when setting up your mobile device and we cannot offer you the related features in this case.
- Storage of collected Data
We store collected data on a server provided by an external service provider which is located in the territory of the EU and offers high-level security. The service provider has no right to access the stored data.
- Use of collected Data
We use the collected data to achieve the purposes outlined in section 3 above.
- Transfer of collected Data
We will only pass on your data in the following cases:
9.1. We will pass on collected data if you give us your consent. In this case we will carry out the transfer under instructions of your consent;
9.2. We will pass on the collected data in a reasonable scope to courts, law enforcement agencies and other government agencies or authorized third parties if the disclosure is required from an objective point of view for the following purposes:
- to fulfil the legal obligations;
- in response to the claims made against us.
9.3. We will pass on the collected data to external service providers to a reasonable extent or grant access rights to the collected data to external service providers if the disclosure is required to provide our services and only if a contract processing agreement between us and the external service provider is completed and the external service provider is familiar with the fact that the data transmitted by us must fulfil the statutory data protection obligations. These service providers have limited access to your data to perform their tasks on our behalf and are under contractual obligations to protect them and use them only for the exact purposes for which they were shared and in accordance with this Privacy Policy. We engage external service providers to support us in the following areas:
- verification or authentication of your identification documents;
- comparison of data with public databases;
- assistance with background or police checks, fraud prevention and risk assessments;
- product development, maintenance and troubleshooting;
- providing our services through third-party platforms and software tools (for example through integration with our technical interfaces, conventionally referred to as APIs);
- providing customer service and consulting, such as external call center service providers who offer telephone assistance to you;
- providing technical support and methods on making settlement of redeemed purchase coupons, such as external technical development service providers to develop relevant technical functions;
- providing payment services, such as external payment service providers to help us transfer your VAT refund to the UnionPay card account, WeChat-Pay account or SEPA bank account specified by you.
10. Your Rights
You may e-mail your request to us to exercise the rights described in this section. Please note that we may ask you to confirm your identity for processing your request. The method described in subsections in the section on exercising your rights remains unaffected.
10.1 Access to your personal data
You can log in to your STF customer account and access your personal data. Please pay additional attention to the following notes on data storage:
- In the case that you haven’t used your STF Customer Account to activate the Tax Free Form which was issued to you within 36 months after its creation, or you haven’t physically sent us the Tax Free Form which was issued to you and signed by you within 36 months after its creation, we will delete the data collected for issuing the Tax Free Form from our databases and servers.
- In the case that we have successfully reimbursed the VAT refund resulting from a Tax Free Form to your STF Customer Account, we will further encrypt the data on your Tax Free Form 12 months after reimbursement. The data will be stored to comply with legal requirements for the necessary period of time.
10.2 Update and correction of your personal data
You have the right to update or correct your personal data. After you have logged in to your STF Customer Account, you can update and correct your personal data. In some cases, the update or the correction will take effect after our confirmation. Please be aware that it is your responsibility to keep your personal data up to date.
10.3 Export of your personal data
You have the right to export the personal data stored by us. In order to export personal data stored by us, you can contact us by e-mail or post. In this case, we will contact you to request a personal identification. Within 30 days of receiving your e-mail or letter and your personal identification, we will provide you with the requested data and confirm your inquiry in written form.
10.4 Deletion of your personal data
You have the right to delete the personal data stored by us. You can delete your personal data by deleting your STF customer account, except for the data which is legally or contractually required to be stored for a certain period of time (e.g. legally required personal data for VAT refund).
10.5. Revocation of consent and restriction of processing
In cases that you have given us your consent to the processing of your personal data, you always have the right to revoke your consent at any time with the effect for the future. In these cases, you can send an e-mail to us.
You also have the right to restrict our use of your personal information if: (i) the validity of your personal information is disputed; (ii) the processing is unlawful; (iii) the personal data is no longer necessary for our processing and you need the personal data for the establishment, exercise or defence of legal claims; or (iv) you object to our processing and it is not yet determined if the legitimate interests of us outweigh your own.
11. Data Security
We strive to protect your personal information from unauthorized access, unauthorized alteration, disclosure or destruction. We use the following measures to do this:
- we encrypt the necessary data transaction paths of our services using SSL;
- we always carry out the exporting and deleting of your personal data requested by you only after a successful verification of your personal identity;
- we restrict access to personal information only to employees and contractors who need access to perform the tasks assigned to them, who are subject to strict confidentiality obligations and who may be disciplined or dismissed if they fail to comply with these obligations.
12. Scope of the Privacy Policy
Our privacy policy applies to all our services, including our websites www.safetytaxfree.com and www.yituishui.com. This Privacy Policy does not apply to services that have separate privacy policies which are not covered by this Privacy Policy.
13. Changes
If necessary, we will change our Privacy Policy and publish the changes on this page (www.safetytaxfree.com/privacy). In case of significant changes, we will also notify you. The notification will be carried out via a message in the STF app, on the WeChat platform or by e-mail. We will not reduce your rights within this Privacy Policy without your explicit consent.