Privacy Policy

This translation is provided for convenience. In case of deviations, the German version applies.

1. Responsible Party

The party responsible for data processing on the VEHI platform is:

VEHI Digital UG (limited liability) Am Pichelssee 58 13595 Berlin E-Mail: info@vehi.de

Unless the legal requirements are met, no data protection officer has been appointed.

2. Principle of the Platform

VEHI operates a platform through which users can find, save, and make inquiries to partner offers.

VEHI is not the provider of the services displayed. Contracts regarding the requested services are concluded exclusively between the user and the partner.

Insofar as VEHI provides the platform, manages user accounts, transmits inquiries, captures interactions, and creates partner billing, VEHI is responsible under data protection law.

Once a partner receives an inquiry and processes the data for contacting, consulting, offering, or executing a contract, the partner is an independent controller in terms of the GDPR.

3. General Legal Foundations

We process personal data mainly based on:

  • Art. 6 para. 1 lit. b GDPR, when processing is necessary for the performance of a contract or for taking steps prior to entering into a contract,

  • Art. 6 para. 1 lit. a GDPR, when consent has been given,

  • Art. 6 para. 1 lit. f GDPR, when legitimate interests exist,

  • Art. 6 para. 1 lit. c GDPR, when legal obligations exist.

4. Provision of the Website and Log Files

When visiting our website, we process technically necessary data, in particular:

  • IP address,

  • Date and time of access,

  • Page accessed,

  • Referrer URL,

  • Browser type and version,

  • Operating system,

  • Amount of data transmitted,

  • Server status.

The processing is carried out for the technical provision, system security, error analysis, and prevention of misuse.

The legal basis is Article 6(1)(f) GDPR.

5. User Account

When users create an account, we process in particular:

  • Name,

  • Email address,

  • Password hash,

  • Stored offers,

  • Inquiry history,

  • Technical usage data.

Purposes:

  • Creation and management of the user account,

  • Use of platform features,

  • Storage of offers,

  • Management of inquiries,

  • Security of the platform.

The legal basis is Article 6(1)(b) GDPR.

6. Partner Account

When partners create an account, we process in particular:

  • Company data,

  • Contact person,

  • Email address,

  • Billing information,

  • Payment status,

  • Tariff and contract data,

  • Ad and offer data,

  • Billing data.

Purposes:

  • Provision of the partner area,

  • Publication and management of ads,

  • Processing of inquiries,

  • Billing for clicks, leads, sales, and subscriptions,

  • Contract management,

  • Support and security.

Legal basis is Art. 6 para. 1 lit. b GDPR.

7. Inquiries and Lead Transfer to Partners

When users submit an inquiry through VEHI, we process the data provided and transmit it to the selected partner.

This may particularly include:

  • First name,

  • Last name,

  • Email address,

  • Inquiry content,

  • Selected offer,

  • Time of inquiry,

  • Technical assignment data.

The transmission occurs so that the partner can process the inquiry, contact the user, and potentially create an offer.

The contract for the requested service is concluded exclusively between the user and the partner.

The legal basis is Article 6 (1) (b) GDPR.

8. Data Processing by Partners

Partners receive personal data only to the extent that it is necessary for processing the respective request.

Upon receiving the request, the partner independently processes the data, particularly for:

  • Contacting,

  • Consulting,

  • Creating offers,

  • Contract negotiations,

  • Contract execution.

The partner is solely responsible for this further processing. Additionally, the privacy notices of the respective partner apply.

9. Internal Platform Tracking for Operation and Billing

VEHI captures certain interactions within the platform that are necessary for operation, security, attribution, and billing.

These include in particular:

  • Ad impressions,

  • Clicks on ads or redirects,

  • Detail page views,

  • CTA clicks,

  • Inquiries,

  • Leads,

  • Sales, as reported back,

  • Subscription periods,

  • Validation status of leads.

Purposes:

  • Technical provision of the platform,

  • Correct attribution of interactions to ads and partners,

  • Billing of clicks, leads, sales, and subscriptions,

  • Abuse detection,

  • Fraud prevention,

  • Evidence and clarification of billing issues.

The following is particularly processed:

  • Time and nature of the interaction,

  • Associated ad,

  • Associated partner,

  • Session or pseudonymous technical identifiers,

  • IP address in shortened or security-related form,

  • Browser and device data,

  • Billing status,

  • Validation status.

This platform tracking is not intended for advertising profile building, but for the provision and billing of VEHI's platform services.

The legal basis is Article 6(1)(b) GDPR for contractually necessary processing and Article 6(1)(f) GDPR for abuse protection, security, and proof interests.

10. Lead Cycle and Validation

A lead may be subject to a lead cycle. The standard period is 30 days from the initial lead creation unless a different period is agreed upon in the partner contract, tariff, or pricing plan.

Multiple inquiries from a logged-in user to the same partner or related offers can be bundled into a single lead within this period.

A repeated inquiry for the same advertisement within the same lead cycle may be blocked to avoid duplicate contact requests.

For non-logged-in users, secure bundling is not always technically possible, so inquiries may be processed separately.

Partners can validate leads as valid or invalid within a validation period. The standard period is 30 days from lead creation unless otherwise agreed.

Additional inquiries within the same lead cycle do not extend this period.

If Auto-Confirm is activated, a lead will automatically be considered confirmed after the expiration of the validation period if it has not been marked as invalid within the deadline and in a traceable manner.

Invalid leads will not be billed, provided they have been marked as invalid in a timely and traceable manner.

To carry out this process, we process:

  • User inquiry,

  • Partner assignment,

  • Advertisement assignment,

  • Time points,

  • Validation status,

  • Billing status,

  • If applicable, reason for invalidity.

The legal basis is Article 6(1)(b) of the GDPR.

11. Click, Sale, and Subscription Billing

Partners may be billed through different billing models depending on the contract, tariff, or pricing plan.

Click and lead models fundamentally exclude each other unless otherwise agreed.

Clicks are generally billed only in the click model and are processed regularly at the beginning of the month for the previous month.

Leads are generally billed only in the lead model and are billed only after confirmation or automatic confirmation.

Sales are processed and billed only in the lead model if a sales component has been agreed upon. A confirmed lead and an assignment within the agreed attribution period are generally prerequisites. The standard attribution period is 60 days from lead creation unless otherwise agreed.

Subscriptions are processed and billed on a monthly basis based on the agreed partner contract, tariff, or pricing plan unless otherwise agreed.

For billing, we specifically process:

  • Partner data,

  • Tariff data,

  • Clicks,

  • Leads,

  • Sales,

  • Subscription periods,

  • Invoice data,

  • Payment status,

  • Stripe references,

  • Billing parameters valid at the time of event occurrence.

The legal basis is Article 6 (1) (b) GDPR as well as Article 6 (1) (c) GDPR for statutory retention obligations.

12. Payment Processing via Stripe

For payment processing with partners, we use Stripe.

In particular, the following can be processed:

  • Name/Company,

  • Billing address,

  • Payment information,

  • Transaction data,

  • Tax information,

  • Payment status.

The processing is carried out for the purpose of settling payments and invoicing to partners.

The legal basis is Article 6 (1) lit. b GDPR and, insofar as legal obligations exist, Article 6 (1) lit. c GDPR.

13. Email Communication and Postmark

We use email to communicate with users and partners.

This includes in particular:

  • Registration emails,

  • Login and security messages,

  • Inquiry confirmations,

  • Notifications about leads,

  • System messages,

  • Billing information,

  • Support communication.

For sending, we use Postmark.

The following are processed in particular:

  • Email address,

  • Name,

  • Content of the message,

  • Delivery status,

  • Technical delivery data.

The legal basis is Article 6(1)(b) GDPR, Article 6(1)(f) GDPR, and in the case of legally required notifications, Article 6(1)(c) GDPR.

14. Email Newsletters and Partner Communications

We differentiate between three voluntary or B2B-related email channels and transactional mandatory communications (account, security, leads, billing).

Private users: The general VEHI newsletter is sent only with explicit consent — e.g., through an optional checkbox during registration (confirmation with the account email) or through a separate sign-up with double opt-in without an account. Legal basis: Art. 6 para. 1 lit. a GDPR.

Partners with an account: After registration and email confirmation, you will receive important partner and platform updates (platform notices, account, ads, leads, billing, security, compliance). Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the B2B platform relationship). You can object to this at any time; transactional account, security, and billing emails remain unaffected.

Partner marketing (cooperation and advertising offers) only with separate voluntary consent (opt-in). Without a partner account, only this marketing registration via double opt-in is possible — no automatic platform updates.

Unsubscribing occurs channel-specifically via the link in the respective email, in the account settings, or by messaging info@vehi.de. Transactional mandatory communications are not disabled by newsletter unsubscriptions.

15. Analysis and Marketing Services

We may use the following services:

  • Google Analytics,

  • Google Tag Manager,

  • Google Ads,

  • Google AdSense,

  • Meta/Facebook Pixel or Meta Ads.

These services particularly serve for:

  • Reach measurement,

  • Usage analysis,

  • Conversion measurement,

  • Advertising optimization,

  • Displaying or measuring ads.

These services are only used if consent has been granted, where such consent is legally required.

The legal basis is Art. 6 (1) lit. a GDPR.

For storing or reading information on end devices, the requirements of the TDDDG also apply. Consent is generally required for technically non-essential tracking technologies; technically necessary processes may be exempt from this requirement.

16. Google Tag Manager

Google Tag Manager is used for managing tags. The Tag Manager itself does not set marketing cookies after usual configuration but can trigger other services.

We configure Google Tag Manager so that consent-requiring services are loaded only after appropriate consent has been obtained.

17. Hosting via Hetzner

Our platform is hosted by Hetzner.

In this context, technical data is processed, particularly:

  • IP addresses,

  • server log files,

  • database contents,

  • platform data,

  • uploaded or imported offer data.

The processing is carried out to provide, secure, and scale the platform.

A processing agreement will be concluded with the hosting provider where necessary.

The legal basis is Article 6(1)(b) and (f) GDPR.

17a. Object Storage (Hetzner Object Storage)

We store partner media (images, logos) and other files in S3-compatible Object Storage at Hetzner. File contents, metadata, and public URLs are processed. Legal basis: Art. 6 para. 1 lit. b and lit. f GDPR. A data processing agreement is concluded with Hetzner.

17b. AI-Supported Preparation (OpenAI)

For the technical preparation of partner feeds and advertisements (e.g., field mapping, categorization, translations), structured offer data may be transmitted to OpenAI (USA). No end-user contact inquiries are sent to OpenAI. Legal basis: Art. 6 para. 1 lit. f GDPR. Order processing and appropriate safeguards for third country transfers (e.g., Standard Contractual Clauses) are implemented.

17c. Rate-Limiting (Upstash Redis)

To protect against abuse, we use a Redis service (Upstash) in production. Pseudonymized technical identifiers are processed; the plaintext personal content of forms is not processed. Legal basis: Art. 6 para. 1 lit. f GDPR (Security). A data processing agreement is concluded with Upstash, if necessary.

17d. Geocoding (OpenStreetMap Nominatim)

For location resolution, address or place information may be transmitted to the geocoding service Nominatim (OpenStreetMap Foundation). Legal basis: Art. 6 para. 1 lit. b and lit. f GDPR.

17e. Affiliate Redirects

In the case of affiliate offers, we redirect users to external providers (e.g., affiliate networks like 9drive). Technical identifiers, referrers, and click data may be transmitted to the external provider. VEHI does not charge any direct CPC fees for this. Legal basis for the redirect: Art. 6 para. 1 lit. b and lit. f GDPR. The external provider is responsible for further processing on the target site.

17e1. First-Party Reach Measurement and Offering Engagement

For operational management, reach measurement, and improvement of our offerings, we collect cookie-less first-party data on our own domain. This includes page views (requested path, language, referrer, UTM parameters, technical session identification from IP address and browser identification of the day, bot detection) as well as anonymous interactions with offerings (e.g., card impressions, clicks on detail views or contact actions), insofar as these are necessary for platform statistics and partner performance.

No marketing profiles are created, and no personal user profiles are formed through third-party cookies. The legal basis is Article 6(1)(f) GDPR (legitimate interest in the secure, economical, and user-friendly operation of the platform). The data will be deleted after a maximum of 14 months unless there are legal retention obligations to the contrary. You can object to the processing at any time for reasons arising from your particular situation by contacting info@vehi.de (Article 21 GDPR).

17f. Cookies and Consent

We store your consent for statistical and marketing cookies in the cookie vehi_consent. You can change or revoke your choice at any time via "Cookie Settings" in the footer.

17g. Map Features (Leaflet / OpenStreetMap)

To display locations, catchment areas, or service areas, we use interactive maps based on Leaflet. The maps load map data (tiles) from OpenStreetMap contributors or the configured tile provider.

In this context, particularly the IP address, browser and device data, the requested map section, and technical connection data may be transmitted to the tile provider. The recipient is the respective tile provider used (by default OpenStreetMap contributors).

The purpose is to display locations and service areas within the framework of platform usage. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in a clear representation of locations), provided that maps are only loaded upon visible use; otherwise, consent may be required.

17h. Support Requests

When users or partners submit support requests, we process the contact, contract, partner, account, and message content provided in order to handle the request.

The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as the request is related to an existing or initiated contractual relationship, and Art. 6 para. 1 lit. f GDPR for general evidence, security, and organizational interests.

17i. Data Disclosure and Data Export

Users can request information about their personal data and, where legally required, receive a structured export of their data (Art. 15 GDPR, Art. 20 GDPR, as applicable).

The export may include account data, saved offers, inquiries, and relevant log data, where available. We may conduct an identity verification before providing the data.

Logged-in users can request the export in their account settings; inquiries can also be sent to info@vehi.de.

18. Recipients of Personal Data

Recipients of personal data may include:

  • Partners when users make a request,

  • Hosting providers,

  • Object storage providers,

  • Email service providers,

  • Payment service providers,

  • AI service providers (OpenAI),

  • Geocoding service (Nominatim),

  • Rate-limiting providers (Upstash),

  • Analysis and marketing providers with consent,

  • Tax advisors, legal advisors, or authorities as necessary.

No transfer to uninvolved third parties will take place.

19. Data Processing Agreement

Insofar as service providers process personal data on our behalf, we enter into data processing agreements in accordance with Art. 28 GDPR.

20. Transfer to Third Countries

Some providers may process personal data outside the EU/EEA, particularly in the USA. This includes, in particular, Google, Meta, and Stripe, as well as OpenAI (AI processing of offer data), Postmark (email delivery), and Upstash (rate-limiting). Processing outside the EU/EEA cannot be excluded depending on the provider and configuration.

A transfer will only take place if suitable guarantees are in place, such as:

  • Adequacy decision,

  • EU standard contractual clauses,

  • EU-US Data Privacy Framework, as far as the respective provider relies on it,

  • Additional protective measures.

21. Duration of Storage

We only store personal data for as long as is necessary for the respective purposes.

Typical storage periods:

  • User account: until the account is deleted, provided there are no retention obligations,

  • Partner account: for the duration of the contractual relationship,

  • Billing data: in accordance with legal retention obligations,

  • Leads: as long as necessary for processing, validation, billing, and proof,

  • Click and tracking data: as long as necessary for billing, fraud prevention, and proof,

  • Newsletter data: until the consent is revoked,

  • Log files: only for the necessary security and operational period,

  • Support tickets: for the duration of processing and proof, followed by deletion or anonymization,

  • Audit logs: depending on the severity, 90 to 365 days,

22. Security

We implement technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration, or disclosure.

These include, in particular:

  • encrypted transmission,

  • access restrictions,

  • role and permission concepts,

  • logging of administrative accesses,

  • regular security measures.

23. Rights of Data Subjects

Data subjects have the following rights under the GDPR:

  • Access,

  • Rectification,

  • Erasure,

  • Restriction of processing,

  • Data portability,

  • Objection,

  • Withdrawal of consent given.

You can object to the processing of your personal data for the purpose of direct advertising at any time (Art. 21 para. 2 GDPR). In the event of an objection, we will no longer process your personal data for these purposes.

Inquiries can be directed to info@vehi.de.

24. Right to Complaint

Data subjects have the right to lodge a complaint with a data protection supervisory authority.

25. Changes to this Privacy Policy

We may adjust this Privacy Policy if our platform, processes, or legal situation change.

The version published on vehi.de shall apply.

Updates from VEHI

Get occasional offers, tips and news about mobility.

We’ll send you a confirmation email to finish signing up. Your subscription is only active after you click the link. You can unsubscribe at any time. Details: Privacy.