Privacy Policy

This English version of our privacy policy is provided for your convenience only and is not legally binding. The German version alone is authoritative. In the event of any discrepancy or conflict between the two language versions, the German version shall prevail, and no rights may be derived from this English translation.

With this privacy policy, we inform you about which personal data we process, for what purposes, on what legal basis, and what rights you are entitled to. We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, TDDDG), as well as all applicable state-specific data protection provisions.

1. Controller

The controller within the meaning of Art. 4 No. 7 GDPR is:

FRYTE Mobility GmbH
Maria-Eich-Straße 72
81243 Munich, Germany

E-mail: team@fryte.eu
Web: www.fryte.com

Managing Directors: Sebastian Wolff, Maximilian Zähringer
VAT identification number (USt-IdNr.): DE455068139
Commercial register: Local Court (Amtsgericht) of Munich, HRB 302187

For all questions concerning data protection and the exercise of your rights, you can reach us at: privacy@fryte.com

2. Scope

This privacy policy applies to:

Note on the use of the Platform by business customers: Where our customers upload their own content containing personal data in the course of using the Platform, we process such data as a processor within the meaning of Art. 28 GDPR, exclusively on behalf of and in accordance with the instructions of the respective customer. The controller for such data is the respective customer; the basis for this is the data processing agreement concluded with the customer. By contrast, this privacy policy covers only those processing operations for which we ourselves are the controller (see Section 10 for details).

3. General Principles

3.1 Legal Bases

We process personal data in particular on the following legal bases:

Where information is stored on or read from your device (e.g. cookies), this is additionally governed by Section 25 TDDDG.

3.2 Recipients and Processors

We engage external service providers to process your data, e.g. for the operation of the Website and the Platform, for analytics services or for e-mail communication. We select these service providers carefully, bind them to our instructions and monitor them regularly; we have concluded a data processing agreement pursuant to Art. 28 GDPR with each of these service providers. We name the specific service providers in connection with the relevant processing operations in this policy.

The legal basis for engaging external service providers is the legal basis of the respective processing operation for which they are used – i.e. Art. 6(1) sentence 1 (b) or (f) GDPR or, where consent has been requested, your consent pursuant to Art. 6(1) sentence 1 (a) GDPR. You may withdraw any consent you have given at any time. Beyond this, we only disclose your data where this is permitted or required by law or where you have consented.

3.3 Data Transfers to Third Countries

Some of the service providers we use have their registered office or their parent company outside the European Union or the European Economic Area (so-called third countries) or process data there. We inform you of this in connection with the relevant processing operations in this policy.

According to adequacy decisions of the European Commission, some third countries have a level of data protection comparable to that in the EU. These include, for example, Switzerland and – for companies certified under the EU-US Data Privacy Framework – the United States. A list of these countries and copies of the adequacy decisions are available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

In other cases, we ensure that an adequate level of data protection is guaranteed, in particular through the Standard Contractual Clauses of the European Commission pursuant to Art. 46(1) and (2)(c) GDPR. A copy of the safeguards agreed in each case, or information on where they are available, can be obtained on request at privacy@fryte.com.

3.4 Storage Period and Erasure

Unless a more specific storage period is stated in this policy, we store personal data only for as long as is necessary for the respective purpose or as required by statutory retention obligations. Once the purpose no longer applies or the relevant period has expired, the data will be erased or anonymised, unless erasure is precluded by legitimate interests (e.g. the establishment, exercise or defence of legal claims).

Our privacy notices may also contain further information on the retention and erasure of data, which takes precedence for the respective processing operations.

3.5 Obligation to Provide Data

The provision of your data is generally voluntary. However, for certain functions, the provision of specific data is required (e.g. an e-mail address for a user account or for responding to an enquiry). Without this information, we cannot provide the respective function or service.

4. Hosting and Server Log Files (AWS)

Our Website and our Platform are hosted using services of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (hereinafter "AWS"). AWS acts as a processor for us; a data processing agreement pursuant to Art. 28 GDPR (AWS Data Processing Addendum) is in place.

When you access our Website or Platform, so-called server log files are processed automatically in order to ensure secure and stable operation. The following data may be collected:

The legal basis is our legitimate interest in the secure, stable and abuse-free provision of our online services (Art. 6(1)(f) GDPR). The log files are stored for a maximum of 90 days; data whose further retention is required for evidentiary purposes will be retained until the respective incident has been finally resolved. This data is not merged with other data sources.

We operate our infrastructure exclusively in AWS regions within the European Union: the Website in the Stockholm region (eu-north-1) and the Platform in the Frankfurt region (eu-central-1). The parent company of AWS (Amazon Web Services, Inc.) is based in the USA; access by US authorities on the basis of US laws (e.g. the CLOUD Act) can therefore not be entirely excluded. To the extent that data is transferred to the USA, Amazon Web Services, Inc. is certified under the EU-US Data Privacy Framework; in addition, the EU Standard Contractual Clauses together with supplementary measures are in place.

5. Cookies and Consent Management

We use cookies and similar technologies on the Website and the Platform. Cookies are small text files that are stored on your device and enable your browser to be recognised.

5.1 Strictly Necessary Cookies

Strictly necessary cookies are required for operation – for example, for logging in to the Platform, session management, security functions and storing your cookie settings. They are set without consent; their storage on your device is permitted pursuant to Section 25(2) No. 2 TDDDG. The processing of the data is based on our legitimate interest in a functional and secure service (Art. 6(1) sentence 1 (f) GDPR) or, vis-à-vis registered users, on the performance of a contract (Art. 6(1) sentence 1 (b) GDPR).

5.2 Cookies and Technologies Requiring Consent

We only deploy all non-essential cookies and technologies (in particular analytics and marketing services, see Sections 6 and 7) after you have given your consent via our cookie banner (Section 25(1) TDDDG, Art. 6(1) sentence 1 (a) GDPR). You may adjust your selection at any time via the cookie settings on the respective page or withdraw your consent with effect for the future.

5.3 Consent Management (HubSpot Cookie Banner)

To inform you about the cookies used and to obtain, document and manage your consents, we use the HubSpot cookie banner (for the provider, see Section 7). In this context, your consent decision and the time it was given, as well as meta and communication data (e.g. IP address, browser information), are processed. The legal basis is our overriding legitimate interest (Art. 6(1) sentence 1 (f) GDPR) in obtaining the legally required consents, in being able to demonstrate that consent has been given (Art. 7(1) GDPR) and in complying with our information obligations. Your setting is stored until you change it or delete the corresponding cookie.

5.4 Storage Period of Cookies

The storage period depends on whether the cookies are temporary or persistent. Temporary cookies (in particular session cookies) are deleted automatically when you close your browser or log out. Persistent cookies remain stored beyond this and are deleted automatically after a period defined for each cookie. You can view the specific storage period of the individual cookies in the cookie settings (cookie banner). You can also view and manually delete cookies that have been set at any time in your browser settings.

6. Web Analytics (Google Analytics 4)

Provided you have given your consent, we use Google Analytics 4 on our Website, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Google Analytics enables us to statistically analyse the use of our Website. The data processed includes in particular: page views and events (e.g. clicks, scroll depth), time spent on the site, approximate location (region, based on the truncated IP address), device and browser information, and the source of the visit. In Google Analytics 4, IP anonymisation is active by default; your IP address is truncated before further processing.

The legal basis is your consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG). You may withdraw your consent at any time via the cookie settings. We have concluded a data processing agreement with Google.

The data collected may be transferred to servers of Google LLC in the USA. Google LLC is certified under the EU-US Data Privacy Framework; in addition, EU Standard Contractual Clauses are in place. The retention period we have configured in Google Analytics is two months for event data and 14 months for user data. Further information: https://policies.google.com/privacy

7. CRM, Forms and Meeting Scheduling (HubSpot)

We use services provided by HubSpot. Our contractual partner and the responsible entity is HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Germany; its parent company is HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA (jointly "HubSpot"). We have concluded a data processing agreement pursuant to Art. 28 GDPR with HubSpot.

We use HubSpot for the following purposes:

We erase CRM data when it is no longer required for the purposes of the business relationship and no statutory retention obligations preclude erasure; data from enquiries that do not lead to a further business relationship is generally erased as soon as the matter has been conclusively dealt with.

Our HubSpot account is operated in HubSpot's EU data centre (region EU1, data centre in Germany with backup in Ireland). Certain data (e.g. analytics and usage data of the service, support access) may nevertheless be transferred to the USA. HubSpot, Inc. is certified under the EU-US Data Privacy Framework; in addition, the EU Standard Contractual Clauses form part of the data processing agreement. Further information: https://legal.hubspot.com/privacy-policy

8. Contact by E-mail, Telephone, Online Meetings and Forms (Microsoft 365)

You can contact us by e-mail (e.g. support@fryte.com), by telephone, in online meetings or via online forms and surveys provided by us, or submit information to us through these channels. In doing so, we process the data you provide (e.g. name, contact details, content of the communication) in order to handle and respond to your request and any resulting follow-up matters.

The legal basis is Art. 6(1)(b) GDPR where the communication serves the initiation or performance of a contract, and otherwise our legitimate interest in responding to enquiries addressed to us (Art. 6(1)(f) GDPR). We erase the data as soon as the matter has been conclusively dealt with and no statutory retention obligations preclude erasure.

For e-mail communication (Exchange Online/Outlook), online meetings (Microsoft Teams) and online forms and surveys (Microsoft Forms), we use Microsoft 365. The provider and processor is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Dublin D18 P521, Ireland ("Microsoft"); the data processing agreement (Microsoft Products and Services Data Protection Addendum) forms part of our agreement with Microsoft. In Microsoft Teams meetings, meeting metadata (e.g. time, attendance) as well as audio, video and chat content are additionally processed. We do not record online meetings by default; should a recording take place in an individual case, we will inform you in advance and obtain any required consents.

When you use Microsoft Forms, we process the information you enter in the respective form as well as the time of submission for the purpose stated in the form, in particular to handle your feedback or enquiry and to conduct and evaluate surveys (e.g. on customer satisfaction and to improve our services). The legal basis is Art. 6(1)(b) GDPR where the information serves the initiation or performance of a contract, and otherwise our legitimate interest in evaluating feedback and in quality assurance and the improvement of our services (Art. 6(1)(f) GDPR). Where a survey is designed to be anonymous, we do not collect any personal data through it; no subsequent attribution to your person will take place in that case.

Processing generally takes place in data centres within the EU (Microsoft's EU Data Boundary). Access from third countries, for example in the context of support or by the US parent company, cannot be entirely excluded. Microsoft is certified under the EU-US Data Privacy Framework; in addition, the EU Standard Contractual Clauses apply. Further information: https://privacy.microsoft.com/en-us/privacystatement

9. Monitoring and Error Analysis (Datadog)

To monitor the availability, performance and security of our Platform and its interfaces (API endpoints) and to analyse technical errors, we use Datadog. The provider is Datadog, Inc., 620 8th Avenue, 45th Floor, New York, NY 10018, USA ("Datadog"). We have concluded a data processing agreement pursuant to Art. 28 GDPR with Datadog.

In the course of monitoring and logging, technical data may be processed that may, in individual cases, relate to identifiable persons, in particular IP addresses, user or session identifiers, as well as timestamps and technical details of requests. Data collection takes place exclusively on the server side; no access to your device (e.g. through cookies or tracking scripts) takes place for this purpose.

The legal basis is our legitimate interest in the secure, stable and error-free operation of our systems and in the detection and prevention of disruptions and attacks (Art. 6(1)(f) GDPR). Log data is stored for 15 days and then erased.

We use Datadog via its EU instance; the processing and storage of telemetry data takes place in data centres within the EU. Access by the US entity (e.g. in the context of support) cannot be entirely excluded. Datadog, Inc. is certified under the EU-US Data Privacy Framework; in addition, the EU Standard Contractual Clauses form part of the data processing agreement. Further information: https://www.datadoghq.com/legal/privacy/

10. Registration and Use of the FRYTE Platform

10.1 Account and Master Data

A user account is required to use our Platform. During registration and account management, we process: first and last name, business e-mail address, password (exclusively as a cryptographic hash, never in plain text), the associated company and, optionally, further contact details (e.g. telephone number).

The purposes are user administration (login, permissions), the provision of the contractually agreed functions, as well as support and communication. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR). We store the data for the duration of the contractual relationship. After the end of the contract, we retain the data for a post-termination period of 30 days so that users can export their data from the Platform (see our General Terms and Conditions in this regard); after this period expires, the data will be erased unless statutory retention periods preclude erasure. During the term of the contract, users can view and manage their data themselves.

10.2 Usage and Log Data

When you use the Platform, we process technical log data (e.g. login times, IP address, actions performed) to ensure security, analyse errors and prevent misuse. The legal basis is our legitimate interest in the secure operation of the Platform (Art. 6(1)(f) GDPR); see also Sections 4 and 9. We use anonymised usage statistics (e.g. number of route requests) without any personal reference to improve the Platform.

10.3 Booking of Charging Sessions

Where charging sessions are planned or booked via the Platform, we transmit the data required for this purpose (e.g. charging point, time slot, booking or identification reference) to the respective charge point operator or its system service provider, to the extent necessary for the performance and billing of the charging session. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR). Data relevant for billing is subject to statutory retention periods (generally 6 or 10 years).

10.4 Content Uploaded by Customers (Processing on Behalf)

For content that our business customers upload to the Platform (e.g. vehicle data including licence plate numbers, route and location data, energy data), we act as a processor on behalf of the respective customer (Art. 28 GDPR). In this respect, the purposes, legal bases and storage periods are determined by the customer as the controller and by the data processing agreement concluded with the customer. Data subjects (e.g. employees of our customers) should contact the respective customer to exercise their rights in this regard; we support the customer in doing so within the scope of our contractual obligations.

11. Job Applications (JOIN)

You can apply to us via our job advertisements or careers page. In doing so, we process your application data: master data (e.g. name, address), contact details (e.g. e-mail address, telephone number) and application documents (e.g. cover letter, CV, references and the information you provide).

The purpose of the processing is to conduct the application procedure and to decide on the establishment of an employment relationship. The legal basis is Art. 6(1) sentence 1 (b) GDPR (implementation of pre-contractual measures taken at your request). Where we retain application data beyond the application procedure for the establishment, exercise or defence of legal claims (e.g. under the German General Equal Treatment Act, AGG), the legal basis is our overriding legitimate interest (Art. 6(1) sentence 1 (f) GDPR). Where we retain your data for longer with your consent, the legal basis is Art. 6(1) sentence 1 (a) GDPR; consent may be withdrawn at any time with effect for the future. Please do not include any special categories of personal data (e.g. health data) in your application unless this is necessary.

If you are hired, we will continue to process the data for the purposes of the employment relationship. Otherwise, we will generally erase your application data six months after conclusion of the application procedure, unless longer retention is required for the establishment or defence of legal claims or you have consented to longer storage.

For applicant management, we use the recruiting software JOIN. The provider is JOIN Solutions AG, Eichenstrasse 2, 8808 Pfäffikon SZ, Switzerland. In this respect, JOIN acts as our processor (Art. 28 GDPR). An adequacy decision of the EU Commission exists for Switzerland, so an adequate level of data protection is ensured. Where JOIN provides its own services to you (e.g. a candidate profile of your own with JOIN), JOIN is an independent controller in that respect; information on this can be found in JOIN's privacy policy: https://join.com/privacy

12. Presences on Social Networks (LinkedIn, YouTube)

We maintain company profiles on LinkedIn and YouTube in order to provide information about our company and our services, to communicate with you and to recruit employees. The legal basis is our legitimate interest in public relations and communication (Art. 6(1)(f) GDPR).

When you visit or interact with our profiles, the respective platform operator processes your data (e.g. usage, meta and communication data) on its own responsibility, frequently also for its own analytics and advertising purposes; we have no influence over this. We ourselves receive and process the content of your interactions with us (e.g. messages, comments) as well as aggregated statistics.

LinkedIn: The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. For the processing of page statistics ("Page Insights"), we are joint controllers with LinkedIn (Art. 26 GDPR); the relevant agreement can be found at https://www.linkedin.com/legal/l/page-joint-controller-addendum. Data may be transferred to the USA; LinkedIn bases such transfers on the EU-US Data Privacy Framework or the EU Standard Contractual Clauses. Privacy policy and objection options: https://www.linkedin.com/legal/privacy-policy

YouTube: The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Where Google provides us, as channel operator, with statistical analyses of the use of our channel ("YouTube Analytics"), we assume joint controllership with Google in this respect (Art. 26 GDPR). Google does not currently provide an arrangement pursuant to Art. 26(1) sentence 2 GDPR for this purpose. The legal basis is our legitimate interest in analysing and optimising our channel (Art. 6(1)(f) GDPR). Data may be transferred to Google LLC in the USA; Google LLC is certified under the EU-US Data Privacy Framework. Privacy policy and settings options: https://policies.google.com/privacy

On our Website, LinkedIn and YouTube are merely linked; only when you click on the link do you leave our services, at which point data is transferred to the respective provider.

You may assert your data subject rights both against us and against the respective platform operator; since only the operators have full access to the user data, asserting your rights directly with the operator is generally more effective.

13. Your Rights as a Data Subject

13.1 Overview

You have the following rights vis-à-vis us with regard to the personal data concerning you:

To exercise your rights, an informal message to privacy@fryte.com is sufficient.

13.2 Right to Object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(f) GDPR (legitimate interest). If you object, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. Where processing is carried out for the purpose of direct marketing, you may object at any time without stating reasons.

13.3 Withdrawal of Consent

You may withdraw any consent you have given at any time with effect for the future (Art. 7(3) GDPR) – for cookies and analytics services, most easily via the cookie settings on the respective page, and otherwise via the contact details stated above. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

13.4 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data (Art. 77 GDPR), in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement. The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) (Bavarian State Office for Data Protection Supervision) Promenade 18, 91522 Ansbach, Germany Telephone: +49 (0) 981 180093-0 E-mail: poststelle@lda.bayern.de

14. Data Security

Taking into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, we implement appropriate technical and organisational measures to protect your data against loss, misuse and unauthorised access. These include in particular the encryption of data transmissions using TLS/SSL (recognisable by the "https://" in your browser's address bar). Our security measures are continuously reviewed and improved in line with technological developments.

15. Currency and Amendments of this Privacy Policy

This privacy policy is currently in force. As a result of the further development of our Website, Platform and services, or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. The current version is available at all times on our Website and in the Platform.

Last updated: July 2026