This website is maintained by iQ Payments Oy (‘PayiQ,’ ‘we’ or ‘us’).

PayiQ takes data protection seriously. We follow the principles included in this data protection policy to protect your privacy. Thus, this data protection policy is included in the applicable websites, and it is part of the general terms of use of the website concerned.

This data protection policy concerns our website and your personal data related to its use and processed by PayiQ. We recommend that you get to know this data protection policy in order to find out which personal data we may collect through our website and how we process this data. We may also process your personal data through a service we provide (see below).

PayiQ is required to comply with the EU General Data Protection Regulation and the Act on the Protection of Privacy in Electronic Communications. PayiQ is committed to the protection of your personal data according to the requirements under this Regulation and the Act on the Protection of Privacy in Electronic Communications.

We always process your personal data in a reliable way. We are always open about how we process your personal data. We take all reasonable measures to protect your personal data from misuse and to keep it secure. We will inform you on who you should contact, should you have questions about how your personal data is processed.

Party collecting your personal data:

iQ Payments Oy (2564925-2)

Contact person for matters related to the processing of personal data:

Riikka Pöyry

Address: Linnankatu 13a A 18, 20100 Turku

Telephone: +358 10 419 2222


How we collect personal data:

We mainly collect personal data directly from you (for instance as you contact us by telephone, as you send us messages such as e-mails, as you fill in our questionnaires or forms, as you order our publications or as you use our website or our social media pages). We may also collect your personal data concerning the use of our website or process your personal data which you provide in connection with the use of a contact form. If you do not provide us with the personal data we request, we may not be able to offer you a service or procedure you request. The processing of your personal data is based on your consent, which you give by accepting this data protection policy.

In some cases, it may be necessary to collect your personal data from third parties. For instance, we may collect your personal data from your employer if your employer is our customer or wishes to become our customer, or from public sources. The collection of data from third parties is only applicable if it is necessary to provide justified benefits to us or to third parties, such as your employer.

In some cases, the processing of your personal data may be necessary in order for us to meet our statutory obligations.

Which personal data we collect

You do not need to separately register your personal data in order to use our website. We mainly collect personal data which visitors to our websites provide voluntarily and which must be provided for the purposes for which the data is collected. For instance, you may provide us with personal data, such as your name and your e-mail address, to register for the use of certain services we provide, to send us e-mail or to receive e-mail from us through our website.

Some data is necessary in order for us to allow the use of our website and its properties (this includes cookies, which are required in order for us to provide the services you request).

We collect the following personal data:

  • name, job title, contact details
  • identifiers for the use of the website (IP addresses, cookies etc.)
  • objects of interest and behavior on our website

If you wish to receive our news or marketing material or are interested in the services we provide, we may request various contact details depending on the type of material you have requested and permitting us to discuss your needs with you. In this case, the personal data we collect may include your name, your e-mail address, your street address and your telephone number.

If you decide to log in to our website using the login service provided by a third party, confirming your identity and linking us with your social media login details (such as LinkedIn, Google or Twitter), we shall collect data and contents required for registration or login and data and contents which the social media service provider shares with us with your consent. This data may include your name and your e-mail address. We do not collect data belonging to particular personal data groups on our website.

Purposes for which we collect personal data

We shall only process your personal data for purposes indicated in this data protection policy, unless you have separately given your consent to processing for other purposes.

PayiQ collects and processes personal data for various purposes, such as:

  • the provision of our services, including technical solutions and applications
  • answering your inquiries
  • maintaining and enabling a connection to our customers, our partners and stakeholders and keeping them up to date on our services, our product development and other topical subjects
  • allowing you to register for various areas on our website
  • confirming your identity
  • for recruitment purposes
  • requesting you to provide feedback
  • monitoring the functionality, usability and security of our website
  • meeting our statutory obligations or our obligations from the point of view of the authorities
  • for internal statistical purposes concerning our databases and their website
  • profiling visitors to our website based on user content
  • targeting our marketing communications based on the use of our website
  • for other purposes related to business activities.
Transfer and disclosure of personal data

We may transfer the personal data you provide via our website to our subcontractors who process your personal data for and on behalf of us (storage, processing or backup of personal data) according to the data protection obligations we follow, including the transfer of personal data across national borders.

We do not disclose your personal data to third parties (other than those mentioned above) unless this disclosure is permitted and required in legislation which binds us.

We do not sell your personal data or otherwise offer it to third parties for their direct marketing purposes.

Data security

PayiQ has taken appropriate technical and organizational measures and has appropriate technical and organizational practices for protecting your personal data against misplacement, misuse, modification or destruction.

PayiQ stores your personal data in printed and electronic form. Materials containing personal data are stored in locked premises which are only available to designated individuals whose duties require authorized access to them.

To the extent that the data may not be in a manually written form, the database containing personal data is included in the system which is only available to designated individuals whose duties require authorized access to it. Access to the databases and systems is only possible by means of personal usernames and passwords which are assigned specially for this purpose. We have limited access rights and authorizations to use information systems and other storage platforms so that only individuals who must be able to examine and process them for statutory processing purposes are able to do so. In addition, the database and system usage events are registered to the log data in our IT systems.

Our employees and other individuals processing personal data are committed to meeting the obligation of secrecy and to maintaining the confidentiality of the information received in connection with the processing of personal data.

We shall only store your personal data as long as necessary and to the extent which is necessary in terms of the original or compatible purposes for which the personal data is collected, or until we are requested to delete the data (if this takes place earlier). We take all reasonable measures to ensure that inaccurate, incorrect and dated personal data is deleted or corrected without unnecessary delay.

Usage of Cookies

We may use cookies from time to time. A cookie is a unique text file that a Web site can send to your browser software. Cookies enable a service to tailor information presented to you based on your browsing preferences. We may use cookies to personalize your pages at our services and support system, or to remember you when you register for products or services. If you do not want us to deploy cookies in your browser, you can set your browser to reject cookies or to notify you when a service tries to put a cookie in your browser software. Rejecting cookies may affect your ability to make use of some of the products and/or services.

We may also use cookies to track your visit to our services. While our servers may automatically log your IP address, this information does not identify you and you remain anonymous.

Your rights

In terms of the processing of your personal data, you have the following rights:

a) the right to receive our confirmation that your personal data is being processed or not processed, and if such personal data is processed, the right to gain access to your personal data and the following information: (i) processing purposes; (ii) personal data groups concerned; (iii) recipients or recipient groups to whom personal data has been disclosed or to whom it is intended to be disclosed; (iv) where possible, the intended storage period for the personal data or, where this is not possible, the criteria for determining this period; (v) the right to request the correction of your personal data or the limitation of processing your personal data or to oppose such processing; (vi) the right to file a claim with the supervisory authority; (vii) if personal data is not collected from you, all information available on the origin of the data.

b) the right to withdraw your consent at any time without any effect on the legality of the processing carried out based on your consent before the withdrawal takes place;

c) the right to demand that we correct without unnecessary delay any inaccurate and incorrect personal data related to you, and the right to request the completion of incomplete personal data, for instance by providing additional clarification, taking into account the purposes for which the data was processed;

d) the right to oblige us to delete your personal data without unnecessary delay provided that (i) the personal data is no longer required for the purposes for which it was collected or for which it was otherwise processed; (ii) you withdraw your consent on which the processing was based, and there are no other legal grounds for data processing; (iii) you oppose data processing based on your particular personal situation, and there are no legitimate reasons for data processing; (iv) your personal data has been processed in violation of the law; or (v) the personal data must be deleted in order to meet our statutory obligation based on European Union law or national legislation;

e) the right to oblige us to limit the processing of your personal data, if (i) you contest the correctness of your personal data, and data processing will be limited for a period during which we can confirm its correctness; (ii) the data is processed in violation of the law, and you oppose that deletion of your personal data, demanding instead the limitation of its use; (iii) we no longer require the personal data concerned for processing purposes, but you require this data to draft, file or defend a legal claim; or (iv) you have opposed the processing of your personal data on grounds related to your particular personal situation, while waiting for a confirmation of whether the data controller’s justified grounds override the grounds of the registered person;

f) the right to receive the personal data you have submitted to us in a structured, generally used and machine-readable form, and the right to transfer the data considered to another data controller without our preventing it, if the processing is based on the consent referred to in the EU General Data Protection Regulation and if the processing is carried out automatically;

g) the right to file a complaint with the supervisory authority, should you consider that the processing of your personal data is in violation of the EU General Data Protection Regulation.

The requests related to delivering on your rights shall be submitted to our contact person mentioned at the top of our data protection policy. Should you wish to leave our mailing list, you may use our cancellation link which is included in each e-mail.

Changes to the data protection policy

PayiQ regularly monitors this data protection policy and, where necessary, may modify it by updating the information included at its own discretion. Should we update the data protection policy, we shall record the date of the update in the data protection policy. The updated data protection policy shall be in force and applicable to you and your personal data from this date onwards. We recommend that you read this data protection policy regularly in order to be informed of the potential updates. This data protection policy was last updated on 17 April 2018.

Privacy Policy for GreenImpact

  1. Scope

This privacy policy applies to the use of the piggyback app of PayiQ Tickets. With regard to the terms used, such as “personal data” or their “processing”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR). This app is published in the Google Play Store and Apple Appstore by iQ Payments Oy, technical partner for the so-called “Changers SDK”, which is necessary for the operation of the app, is Blacksquared GmbH, Berlin.

  1. Provider and contact person

Person responsible for the collection, processing and use of personal data in the context of providing the Changers SDK:

Blacksquared GmbH

Bleibtreustrasse 53

D-10623 Berlin

Managing director: Daniela Schiffer

Local court Charlottenburg HRB 185884 B

VAT-Id. No. DE 282 11 63 39


  1. Collection, processing and use of personal data for the operation of the Changers SDK

3.1 Use of the Changers CO2 fit platform and services

With the use of Changers CO2 fit offers, distances traveled can be recorded according to the type of mobility. These are running, cycling and the use of public transport. Depending on the publisher’s offer, you can use these bonus points to buy vouchers for rewards in the app or participate in raffles. In addition, the participation of users can be linked to individual donation projects or tree planting.

3.2 General explanations

The use of the app is anonymized. No personal data such as name or email need to be stored. The user account is identified via a user ID or UUID in the backend.

Your personal data will not be passed on to third parties. The only exceptions to this are our service and contractual partners who are used in the context of the contractual relationship and companies that serve Blacksquared GmbH as cooperation partners. Since the anonymization of your data represents a processing of your personal data, we would like to obtain your permission with this declaration.

Data processing for other purposes or transfer to third parties, unless explicitly stated in this privacy policy, will not take place without your explicit consent. Something else only applies if we are legally obligated to release data (information to law enforcement agencies and courts; information to public bodies that receive data due to legal regulations, e.g. tax authorities).

3.3 Registration information and other personal data of the users

When you register as a user of the Piggyback App, we create a so-called UUID for your account in our system, which is stored in our system (“Registration Information”). In order to use the full functionality of the Services, you must also enable location sharing in your smartphone.

When you register in the app, we store your account data and the date and time of your registration on the servers of our service provider AWS Frankfurt, located in Frankfurt am Main, Germany.

3.4 Collection of location and movement data by the piggyback app (tracking)

The piggyback App allows users to collect data about their use of more or less CO2-saving means of transport for certain routes and to evaluate the carbon footprint of such activities. The personal data is used to validate the distances traveled in the corresponding mobility type and to calculate the bonus points (ReCoins) to be awarded.

The piggyback app uses, among other things, the GPS and positioning interfaces of the respective mobile devices or the navigation software used by the mobile devices to determine the current location of the users, to measure the distance traveled and, to verify the information provided by the users about the means of transport used, to compare it with maps and other publicly available data.

3.4.1 How are the distances traveled measured?

We use MotionTag technology to capture the journeys.

MotionTag uses machine learning from smartphone sensors to develop smart mobility solutions that measure mobility data in real time and distinguish between mobility types. This technology is also used, for example, in apps from transportation companies for smart ticketing. The collected data can be used by MotionTag, for example, to map anonymized and cumulated traffic metrics such as a modal split or a heat map of all routes traveled in a region. This allows transportation infrastructure projects to be better adapted and planned to the actual needs of travelers. Motion Tag is a German company based in Potsdam and hosts and processes the data in Germany according to the requirements of the GDPR.

3.4.2 How are mobility types differentiated?

The distances are measured by the smartphone. For this purpose, we have stored parameters that the smartphone queries after the distance has been measured. These include speed and acceleration values, which are used in particular to distinguish running and cycling from the use of motorized means of transport.

3.4.3 Data storage

The data is stored in the data center of our service provider, AWS Frankfurt in Frankfurt am Main, Germany.

The operator wants to ensure the user full control over his personal data. The User’s legal right to information, correction and deletion of data remains unaffected. The deletion of the User’s personal mobility data does not include the data aggregated and anonymized from this data, which is collected by the Operator in order to compile statistics on collective mobility data and CO2 savings of the users of this App. These anonymized and aggregated data are retained only as long as necessary for the purpose of the data processing, in this case displaying the aggregated company values and activities in the company statistics. (Art. 5 para. 1 lit. e) DSGVO).

3.5 Contacting via the contact form or our helpdesk

If you would like to contact us via the contact form on our website, we will process your first and last name, your email address, and the message text you send to us in accordance with Art. 6 (1) lit. b) DSGVO in order to process your request. There is no link to the data collected in the app. Your information may be stored in our customer relationship management system (“CRM system”) or comparable request organization.

We use the CRM system “Helpdesk”, of the provider Zendesk, Inc.- 1019 Market St, San Francisco, CA 94103, USA) based on our legitimate interests (efficient and fast processing of user requests). For this purpose, we have concluded a contract with Zendesk with so-called standard contractual clauses, in which Zendesk undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. All processors that previously operated under the now invalid Privacy Shields agreement have since added the relevant standard contractual clauses approved by the European Commission to the data processing terms and security provisions, which, according to the ruling, continue to be legally valid for the transfer of data outside the EU, Switzerland and the United Kingdom.

We delete the inquiries if they are no longer necessary. We review the necessity every two years; we store inquiries from customers who have a customer account permanently and refer to the information on the customer account for deletion. In the case of legal archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).

  1. Legal Basis

4.1 Cooperation with Processors and Third Parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, according to Art. 6 para. 1 lit. b DSGVO is necessary for the performance of the contract), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we commission third parties with the processing of data on the basis of a so-called “order processing agreement”, this is done on the basis of Art. 28 DSGVO.

4.2 Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this will only occur if it is done in order to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special requirements of Art. 44 et seq. DSGVO are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection that corresponds to the EU (e.g. for the USA by the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

All processors that previously operated under the now-invalid Privacy Shields agreement have since added the relevant European Commission-approved standard contractual clauses to their data processing terms and security provisions, which remain legally valid for transfers of data outside the EU, Switzerland and the United Kingdom, according to the ruling.

4.3 Cookies & Reach Measurement

Cookies are pieces of information that are transmitted from our web server or third-party web servers to users’ web browsers, where they are stored for later retrieval. Cookies may be small files or other types of information storage.

We use “session cookies”, which are only stored for the duration of the current visit to our online presence (e.g. to enable the storage of your login status and thus the use of our online offer at all). In a session cookie, a randomly generated unique identification number is stored, a so-called session ID. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and you log out or close the browser, for example.

Users are informed about the use of cookies in the context of pseudonymous reach measurement as part of this privacy policy.

If users do not want cookies to be stored on their computer, they are asked to disable the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

You can object to the use of cookies used for reach measurement and advertising purposes via the Network Advertising Initiative opt-out page ( and additionally the U.S. website ( or the European website (

4.4 Collection of access data and log files

We collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO, we collect data about each access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of seven days and then deleted. Data whose further storage is required for evidentiary purposes is exempt from deletion until final clarification of the respective incident.

4.5 Online presences in social media

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.

Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send us messages.

4.6 Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC (“Google”), on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering within the meaning of Art. 6 (1) lit. f. DSGVO) Google Analytics, a web analytics service provided by Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the online offer or within our app by the users is usually transmitted to a Google server in the USA and stored there.

All processors that previously operated under the now-invalid Privacy Shields agreement have since added the relevant European Commission-approved standard contractual clauses to their data processing terms and security provisions, which remain legally valid for transfers of data outside the EU, Switzerland and the United Kingdom, according to the ruling.

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with other services related to the use of this online offer and the Internet. In doing so, pseudonymous usage profiles of the users can be created from the processed data.

The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offer to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: (

For more information about Google’s data use, settings and opt-out options, please visit Google’s websites: (“Data use by Google when you use our partners’ websites or apps”), (“Data use for advertising purposes”), (“Manage information Google uses to serve ads to you”).

4.7 Data permissions in the apps

4.7.1 Firebase Crashlytics / Firebase Crash Reporting

We use Firebase Crashlytics / Firebase Crash Reporting (hereinafter Google Firebase) to analyze user behavior and to report on the stability and improvement of the app. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Firebase Crashlytics / Firebase Crash Reporting is used for the stability and improvement of the app. It collects information about the device used and the usage of our app (e.g. the timestamp, when the app was started and when the crash occurred), which allows us to diagnose and solve problems. The data is stored anonymously.

The use of Firebase Crashlytics / Firebase Crash Reporting may require the forwarding of your personal data to the USA. Please refer to the provider’s privacy policy for the storage period of the data collected in this way.

Google Firebase Crashlytics / Firebase Crash Reporting is used to optimize this app and to improve our offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.

Weitere Informationen zu Google Firebase findest du unter:

4.7.2 Push Notifications

We ask for permission to send you push notifications when you first install (Android) or use (iOS) the app. We use Google’s Firebase Cloud Messaging (Android) and Apple Push Notifications (iOS) for push notifications. Firebase and Apple generate a calculated key, which is composed of the identifier of the app and your device identifier. This key is stored on our push platform with the settings you have selected in order to provide you with the content according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve exclusively as transmitters.

4.8 Integration of third-party services and content

Within our online offer, we use content or service offers of third-party providers on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party providers of this content are aware of the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus required for the display of this content. We strive to use only such content whose respective providers use the IP address only for the delivery of the content.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.

The following presentation provides an overview of third-party providers and their content, along with links to their privacy statements, which contain further information on the processing of data and, in part already mentioned here, opt-out options:

External fonts from Google, LLC., (“Google Fonts”). The integration of Google Fonts is done by a server call at Google (usually in the USA). Privacy policy:, Opt-Out:

Maps of the service “Google Maps” of the third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:, Opt-Out:

Videos from the “YouTube” platform of the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:, Opt-Out:

4.9 Relevant legal bases

In accordance with Art. 13 DSGVO, we inform you about the legal basis of our data processing. If the legal basis is not mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 DSGVO, the legal basis for processing for the performance of our services and implementation of contractual measures and responding to requests is Art. 6(1)(b) DSGVO, the legal basis for processing for the performance of our legal obligations is Art. 6(1)(c) DSGVO, and the legal basis for processing for the protection of our legitimate interests is Art. 6(1)(f) DSGVO. In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO serves as the legal basis.

4.10 Revocation, changes, corrections and updatesrungen

As a user, you have the right to request information free of charge about the personal data that has been stored about you. In addition, you have the right to correct inaccurate data, blocking and deletion of your personal data, provided that this does not conflict with any legal obligation to retain data. You can find our contact details here (

4.11 Safety measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons; the measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access concerning them, input, disclosure, ensuring availability and their separation.

Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the deletion of data and the response to data compromise. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Article 25 of the GDPR).

The security measures include, in particular, the encrypted transmission of data between your browser and our servers, as well as between the mobile apps and our servers.

4.12 Data protection officer

The data protection officer of Blacksquared GmbH is:

RA Christoph Kluss

You can reach our company data protection officer by mail at:


Blacksquared GmbH

Christoph Kluss

Bleibtreustraße 53

10623 Berlin, Germany

4.13 Changes and updates to the privacy policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the data protection declaration as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

This privacy policy was last updated on September 21, 2020.