Privacy Policy
Last updated: September 2025
We process personal data (“data”) only to the extent necessary and for the purpose of providing a functional, secure, and user-friendly website (including webshop), connected services, and mobile applications (in particular MyTransport.One / MyT.One). “Processing” means any operation performed on data (Art. 4(2) GDPR).
I. Controller
Swarm Logistics GmbH
Managing Director: Damir Dulović
Königstr. 22, 70173 Stuttgart, Germany
Phone: +49 (0)711 390 898 05
Email: info@swarmlogistics.net
Imprint: https://swarmlogistics.de/impressum
II. Supervisory Authority
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
Website: https://www.baden-wuerttemberg.datenschutz.de
III. Data Subject Rights
You have the rights of access, rectification, erasure, restriction, data portability, and objection (Arts. 15–21 GDPR), as well as the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). You may withdraw consent at any time with effect for the future.
IV. Legal Bases & Retention
Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract/contract initiation), Art. 6(1)(c) GDPR (legal obligation), Art. 6(1)(f) GDPR (legitimate interests). Where we access or store information on end-user devices, Section 25 TTDSG (German Telecommunications-Telemedia Data Protection Act) also applies.
Retention periods follow legal obligations (e.g., HGB/AO, typically up to 10 years) or the specific purpose; security/access logs are generally kept 30–90 days.
V. Hosting, Server Logs & Processors
Website hosting (IONOS SE) – EU data centers
Processed data: server log files (IP address, timestamp, requested content, referrer, user agent), meta/communication data.
Legal basis: Art. 6(1)(f) GDPR (secure operation) in conjunction with Art. 28 GDPR (data processing agreement).
Backend/servers (Hetzner Online GmbH) – EU data centers
Purposes: running APIs/applications and databases; security, availability, performance.
Legal bases: Art. 6(1)(b) and 6(1)(f) GDPR in conjunction with Art. 28 GDPR (data processing agreement).
VI. TTDSG & Consent Management
Where we store or access information on end-user devices (cookies, local storage, pixels), this is done only with consent under Section 25(1) TTDSG, unless strictly necessary (Section 25(2) TTDSG). Any subsequent data processing relies on Art. 6 GDPR.
We use Real Cookie Banner (devowl.io) to collect and document consents (consent ID, status, timestamp, truncated IP, preferences).
Legal bases: Art. 6(1)(c) GDPR (accountability), Art. 6(1)(f) GDPR (proof), Section 25 TTDSG. Retention of consent logs: generally 3 years. You can withdraw or adjust choices at any time in the cookie settings.
VII. Web Analytics & Google Services (only with consent)
Google Analytics 4 (via Site Kit by Google) – Google Ireland Ltd.; US involvement: Google LLC
Processed data: usage/event data, device/browser data, approximate location, referrer, consent signals; IP anonymization enabled. Consent Mode v2; GA4 loads only after consent.
Legal bases: Section 25(1) TTDSG, Art. 6(1)(a) GDPR.
International transfers: USA; safeguarded by EU Standard Contractual Clauses (SCCs).
Retention: user/event data typically 14 months. Consent can be withdrawn at any time via the banner.
Google for WooCommerce
Transmission of product/e-commerce events to Google (for display in Google properties) only with consent (TTDSG/GDPR as above).
VIII. Email Infrastructure
1) Flatbooster GmbH (email services for swarmlogistics.net)
We use Flatbooster GmbH, Regattastr. 232, 12527 Berlin; branch: Linienstr. 50, 14776 Brandenburg; HRB 213043B (AG Potsdam); VAT ID DE267097860; contact: support@flatbooster.de, +49 (0)3381 563301, to provide/manage email mailboxes and forwarding under the swarmlogistics.net domain.
Role: processor under Art. 28 GDPR (data processing agreement in place).
Data categories: sender/recipient addresses, metadata (timestamps, delivery status, server info), subject/content (where technically required), spam/malware checks, protocol data (SMTP/IMAP/POP3).
Purposes: email provisioning, sending/receiving, spam/malware protection, availability/error analysis.
Legal bases: Art. 6(1)(b) GDPR (contractual communication), Art. 6(1)(f) GDPR (secure, necessary email operation), Art. 32 GDPR (security).
Transfers: processing in Germany/EU; no third-country transfers by Flatbooster.
2) Microsoft 365 / Exchange Online (swarmlogistics.de)
For transactional/business emails (e.g., system, order, support) we use Microsoft 365 (Exchange Online) under the swarmlogistics.de domain; senders may include info@swarmlogistics.net.
International transfers: possible; safeguarded by SCCs (Art. 46 GDPR) and technical/organizational measures (TLS in transit, anti-malware, policies).
Note: For highly confidential content we offer end-to-end encryption upon request.
IX. Webshop & Contract Fulfilment (WooCommerce + Germanized)
Customer account (optional): master data, login data, order history, billing/shipping addresses (Art. 6(1)(b), (f) GDPR).
Orders: master, contact, address, order/payment/shipping information; recipients: internal departments, IT/hosting, payment and shipping providers, tax advisors.
Retention: generally 10 years under HGB/AO.
Payment services
- WooPayments (Stripe) – Stripe Technology Europe Ltd. (Ireland); possibly Stripe, Inc. (USA). Necessary payment data are transmitted. Legal bases: Art. 6(1)(b), (f) GDPR; SCCs for any third-country transfers.
- PayPal Payments – PayPal (Europe) S.à r.l. et Cie (Luxembourg); possibly PayPal Inc. (USA). Same legal bases; SCCs.
Shipping providers (e.g., DHL/UPS/DPD): name, delivery address, and, where needed, email/phone for delivery notifications (Art. 6(1)(b) GDPR).
Subscriptions & memberships
- SUMO Subscriptions: management of recurring payments/subscriptions (Art. 6(1)(b) GDPR).
- Paid Memberships Pro: memberships and access rights (Art. 6(1)(b) GDPR).
- License Manager for WooCommerce: issuance/management of software license keys; processed data may include order, license, activation/usage, and contact/address data (Art. 6(1)(b) GDPR; retention per HGB/AO).
X. Email Sending (WP Mail SMTP) & Newsletter (MailPoet)
Transactional/system emails (WP Mail SMTP): sent via the infrastructure above (Microsoft 365/Flatbooster). Data: recipient, sender, technical metadata, delivery logs, content. Legal bases: Art. 6(1)(b), (f) GDPR.
Newsletter (MailPoet) – if used:
Data: email address, optionally name; double opt-in; opt-out anytime via unsubscribe link.
Legal basis: Art. 6(1)(a) GDPR; accountability/proof under Art. 6(1)(c), (f) GDPR.
XI. Security & Protection (plugins)
We use Wordfence, Really Simple Security, Limit Login Attempts Reloaded, and IP Location Block.
Data: IP addresses, timestamps, requested URLs, headers/device info, login events; comparison against provider services may occur.
Legal bases: Art. 6(1)(f) GDPR (IT security), Art. 32 GDPR. Logs: generally 30–90 days. International transfers may occur; SCCs apply.
XII. Backups (UpdraftPlus – local only)
For resilience we create local backups (files/database) using UpdraftPlus without transferring data to external cloud services.
Legal bases: Art. 6(1)(c) GDPR (statutory retention) and Art. 6(1)(f) GDPR (operational security).
Recipients/third countries: no transmission to external providers; storage solely on systems we control within the EU.
XIII. Multilingual, Media & Performance
Polylang: sets a necessary language cookie (strictly necessary under Section 25(2) TTDSG).
Converter for Media (WebP/AVIF): server-side image conversion (generally no personal reference).
XML Sitemap Generator / Yoast SEO / Otter / Advanced WordPress Backgrounds: no personal data as long as no external resources are loaded.
Local Google Fonts: fonts are hosted locally (no connection to Google servers).
XIV. Gravatar (avatars) – only if avatars/comments are active
If our website uses avatars (e.g., in comments, profiles, reviews) and Gravatar is enabled, a hashed value of your email address may be transmitted to Automattic Inc. (USA) to display the avatar.
Legal bases: Section 25(1) TTDSG (if device access/cookies are involved), Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (user-friendly profiles), depending on integration. International transfers: USA; SCCs.
Note: If avatars/comments are disabled or we use local avatars, no transmission to Gravatar takes place.
XV. Quality & Maintenance
Broken Link Checker (WPMU DEV):
– Local mode: scans run within our installation without external transmission.
XVI. Calendar & Appointment Booking — Calendly
We use Calendly (Calendly LLC, USA) for scheduling (widget/link).
Data: name, email, phone (optional), company, notes; booking/metadata (time slot, time zone, invitation status, IP, timestamp, browser/device).
Purposes: scheduling and communication.
Legal bases: Art. 6(1)(b) GDPR (contract-related) and Art. 6(1)(f) GDPR (efficient organization); consent where the widget/device access is required (Section 25 TTDSG/Art. 6(1)(a) GDPR).
International transfers to the USA: SCCs.
You can also reach us by email at info@swarmlogistics.net or by phone at +49 (0)711 390 898 05.
XVII. Mobile App — MyTransport.One / MyT.One (Google Play)
Distribution via Google Play: Google processes store/account data as its own controller.
In-app processing by us (depending on usage):
– Data types: precise/approximate location data (possibly background), timestamps, device/app IDs, tour/order status, push tokens.
– Purposes: live dispatching, ETA/navigation, plan/actual reconciliation, history, SLA evidence, security/fraud prevention, support.
– Legal bases: Art. 6(1)(b) GDPR (service/employment context), Art. 6(1)(f) GDPR (operational control/traceability), Art. 6(1)(a) GDPR for background location & push (consent via OS app permissions; withdrawal anytime in system/app settings).
– TTDSG: storing/accessing app identifiers/push tokens may require consent (Section 25 TTDSG).
– Retention: position/event data up to 12 months, then deletion/anon; logs up to 6 months.
Without the required permissions, some app features are limited.
XVIII. AI Functions — Mistral (API)
We use models from Mistral AI (France/EU) to process unstructured inputs (e.g., extraction/structuring of text content and, where applicable, images).
Data: submitted content/prompts (e.g., order data/addresses), technical metadata (timestamps, request IDs), pseudonymous IDs. Please do not submit special categories of data within the meaning of Art. 9 GDPR unless strictly necessary and expressly agreed.
Roles: Mistral generally acts as our processor (data processing agreement in place); in part, Mistral may process aggregated usage data as an independent controller for stability/security.
Location/transfers: processing primarily within the EU/EEA; where sub-processors in third countries are used, SCCs and supplementary measures apply.
Legal bases: Art. 6(1)(b) GDPR (contract-related function), Art. 6(1)(f) GDPR (efficient automation); Art. 6(1)(a) GDPR (consent) where device access/third-country transfers without SCCs would otherwise be required.
Retention: logs/prompts are minimized; typically 30–90 days for security/billing/error analysis, then deletion/anonymization.
XIX. Contact & Inquiries
When you contact us via form/email (info@swarmlogistics.net), we process your details to handle the inquiry (Art. 6(1)(b) GDPR). Data are deleted after completion unless retention obligations apply.
XX. Applications
For job applications, we process master, contact, qualification, communication, and application data to decide on employment (§ 26 BDSG; additionally Art. 6(1)(b), (f) GDPR).
Retention: generally 6 months after completion; longer only with consent.
XXI. Automated Decision-Making/Profiling
Does not take place. (If we implement such procedures, we will provide prior information on the logic, significance, and envisaged consequences.)
XXII. Changes to this Privacy Policy
We update this notice when our processing or the legal situation changes.
Last updated: September 2025