Skip to main content

Privacy Policy

A. General Information

Name and contact details of the person responsible

The responsible person within the meaning of the data protection laws, in particular the EU General Data Protection Regulation (DSGVO), is:

Frank Elsinga representing "OpenSource @ TUM e.V.".

Frank Elsinga representing "OpenSource @ TUM e.V."
Postal address: Boltzmannstr. 3, 85748 Garching b. München, Germany
Telephone: 089/289-17052
E-mail: navigatum (at-symbol) tum.de
https://tum.dev

Contact details of the data protection officer

The Data Protection Officer of the Technical University of Munich
Postal address: Arcisstr. 21, 80333 Munich, Germany
Telephone: 089/289-17052
E-mail: beauftragter(at)datenschutz.tum.de

Feedback

The feedback form is used on a purely voluntary basis. The processing is based on Art. 6 para. 1 lit. a DSGVO. In order to use the feedback form, the Tearms of Service and GitHub Privacy Policy must be agreed to. Please note that data may be transferred outside the European Union. For non-public communication, please refer to the contact option via the Imprint.

Navigation is used on a purely voluntary basis. The processing is based on Art. 6 para. 1 lit. a GDPR. When using the navigation, users can enter their current location as a starting point in addition to addresses or rooms. This is then transmitted to our server and the route is returned to the user.

Map - location

The use of navigation is purely voluntary. The processing is based on Art. 6 para. 1 lit. a GDPR. While using the map, users can have their own location displayed on the map.

Nearby public transport

The detail pages for buildings and rooms include a "Nearby public transport" section that lists upcoming departures from stops near the location. Loading departures for a stop is purely voluntary - the section only contacts a third-party server once the user expands a specific station. The processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in offering arrival/departure information for the displayed location). The user's browser contacts the Transitous public-transport API (https://api.transitous.org) directly to fetch real-time departures. NavigaTUM does not proxy these requests and does not see the response.

Learning-room availability

Detail pages of buildings or areas that have learning-room coverage include a "Learning rooms" section showing the current occupancy status of the building's learning rooms. The processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in showing the current learning-room availability for the displayed building). For this, the user's browser contacts the Studentische Vertretung IRIS learning-room display (https://iris.asta.tum.de/api/) directly. Unlike the public-transport feature, this request is not triggered by an explicit action: it is sent automatically once the section becomes visible and then repeated roughly every 60 seconds (see the "Recipients" section for details). NavigaTUM does not proxy these requests and does not see the response.

Recipients of personal data

The technical operation of our data processing systems is carried out by:

Leibniz Computing Centre (LRZ) of the Bavarian Academy of Sciences and Humanities
Boltzmannstraße 1
D-85748 Garching near Munich
Telephone: (089) 35831 8000
Fax: (089) 35831 9700
E-mail: lrzpost(at)lrz.de
www.lrz.de

Third-party services contacted from the browser

Some features show live data by having the user's browser contact a third-party service directly. The same applies to all of these services: NavigaTUM does not proxy these requests, does not see the responses and stores no data from them. With every request, the technically necessary information reaches the respective third party - in particular the user's IP address and the browser-default HTTP headers (User-Agent, Referer). The Referer is restricted by NavigaTUM's referrer policy to the origin https://nav.tum.de/. No NavigaTUM identifier of the user and no search query entered elsewhere is sent along. NavigaTUM has no contract with any of these providers.

This currently concerns the following services:

Nearby public transport - Transitous

Transitous - community-run free and open public-transport routing
https://transitous.org
Source / contact: https://github.com/public-transport/transitous

The browser contacts https://api.transitous.org only once the user expands a specific station. In addition to the information listed above, the following is transmitted:

  • the public-transport stop identifier (e.g. a DELFI/GTFS stop ID) for the station the user opened
  • the requested language tag (de or en)

Transitous's own handling of these requests is described in their privacy policy (summary: IP, time, requested URL and User-Agent are logged for up to 2 days).

Learning-room availability - Studentische Vertretung IRIS

IRIS - learning-room display of the Studentische Vertretung (student representation) of TU Munich
Responsible body: Technical University of Munich, Arcisstraße 21, 80333 Munich
https://iris.asta.tum.de

On building/area pages that have learning-room coverage, the browser contacts https://iris.asta.tum.de/api/ automatically once the "Learning rooms" section becomes visible, and then again roughly every 60 seconds. As soon as the section scrolls out of view or the browser tab moves to the background, the refresh pauses. Beyond the information listed above, no further parameters are transmitted: the request always fetches the full Iris room list, which is identical for every user, and in particular contains no indication of which building the user is currently viewing.

How these requests are processed is described in the Studentische Vertretung IRIS privacy policy (summary: the web server logs the IP address, time and requested URL among others; log entries older than seven days are anonymized by truncating the IP address; operated by the LRZ).

If necessary, your data will be transmitted to the competent supervisory and auditing authorities for the exercise of the respective control rights.

In the event of electronic transmission, data may be forwarded to the State Office for Information Security in order to prevent threats to information technology security and processed there on the basis of Art. 12 et seq. of the Bavarian E-Government Act.

Duration of storage of personal data

Feedback

The data voluntarily provided by a user will not be technically deleted unless the user so requests.

In addition, a user can have his or her comment deleted by us at any time. To do so, please write an e-mail to us (navigatum (at-symbol) tum.de) and provide the link to your comment. In addition, you can also contact the data protection officer listed below and/or the person responsible for data protection.

The data is discarded after the navigation route has been calculated and is therefore not saved.

Map - Location

The data is not transmitted to our server and is therefore not saved.

Nearby public transport

NavigaTUM does not store any data from the "Nearby public transport" feature. The request leaves the user's browser directly for the Transitous API and the response is rendered client-side only.

Per the Transitous privacy policy, Transitous itself logs the following on the receiving side for up to 2 days (legitimate interest in debugging and abuse prevention):

  • the IP address of the requester
  • the time of the request
  • the requested URL (which in our case contains the stop ID and language tag)
  • the User-Agent header

After 2 days the log entries are deleted. Earlier deletion of entries that can be attributed to you (for example by IP address and timeframe) can be requested by e-mail directly from the Transitous server maintainer; the address is published on https://transitous.org/privacy/.

Learning-room availability

NavigaTUM does not store any data from the "Learning rooms" feature. The request leaves the user's browser directly for the Studentische Vertretung IRIS display and the response is rendered client-side only. Any logging takes place solely at Studentische Vertretung IRIS as the operator: per its privacy policy, the web server logs the IP address, time and requested URL among others; log entries older than seven days are anonymized by truncating the IP address (operated by the LRZ).

Your rights

If we process your personal data, you have the following rights as a data subject:

  • You have the right to information about the data stored about you (Art. 15 DSGVO).
  • If incorrect personal data is processed, you have the right to have it corrected (Art. 16 DSGVO).
  • If the legal requirements are met, you can request the deletion or restriction of processing (Art. 17 and 18 DSGVO).
  • If you have consented to the processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have the right to data portability (Art. 20 DSGVO).
  • If you have consented to the processing and the processing is based on this consent, you can revoke the consent at any time for the future. The lawfulness of the data processing carried out on the basis of the consent until the revocation is not affected by this.

You have the right to object to the processing of your data at any time on grounds relating to your particular situation, if the processing is carried out exclusively on the basis of Art. 6(1)(e) or (f) DSGVO (Art. 21(1) sentence 1 DSGVO).

Right of complaint to the supervisory authority

Furthermore, you have the right to lodge a complaint with the Bavarian State Commissioner for Data Protection. You can contact the Bavarian State Commissioner for Data Protection at the following address:

Postal address: P.O. Box 22 12 19, 80502 Munich, Germany.
Address: Wagmüllerstraße 18, 80538 Munich, Germany
Telephone: 089 212672-0
Fax: 089 212672-50
E-mail: post office(at)datenschutz-bayern.de
https://www.datenschutz-bayern.de/

Changes to our data protection policy

We reserve the right to adapt this data protection declaration so that it always complies with the current legal requirements or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection statement will then apply to your next visit.

Questions to the data protection officer

If you have any questions about data protection, please write us an e-mail or contact the person responsible for data protection in our organisation directly. You can find this person under the contact options mentioned in the imprint.

B. Information about the website

Further information

For more detailed information on the processing of your data and your rights, you can contact us using the contact details given above (at the beginning of A.).

Information on the Internet presence

Technical implementation

Our web server is operated by the Leibniz Computing Centre of the Bavarian Academy of Sciences and Humanities (LRZ). The personal data you transmit when visiting our website is therefore processed by the LRZ on our behalf:

Leibniz Computing Centre (LRZ) of the Bavarian Academy of Sciences and Humanities
Boltzmannstrasse 1
D-85748 Garching near Munich
Telephone: (089) 35831 8000
Fax: (089) 35831 9700
E-mail: lrzpost(at)lrz.de
www.lrz.de

Logging

When you call up this or other Internet pages, you transmit data to our web server via your Internet browser. The following data is temporarily recorded in a log file during an ongoing connection for communication between your internet browser and our web server:

  • Date and time of the request
  • Amount of time the request took
  • Name of the requested file
  • Page from which the file was requested
  • Access status (file transferred, file not found, etc.)
  • web browser and operating system used
  • amount of data transferred.

In particular, no IP addresses or locations are logged.

The data in this log file is processed as follows:

  • The log entries are continuously evaluated automatically in order to detect attacks on the web servers and to be able to react accordingly.
  • In individual cases, i.e. in the case of reported malfunctions, errors and security incidents, a manual analysis is carried out.

Since no information is logged that can be clearly traced back to individuals, it is not possible to draw conclusions about individual persons.

Log entries are automatically deleted after a maximum of 2 weeks.

External service providers

We have no current contracts with external service providers.

Active components

Active components such as JavaScript, Java applets or Active-X controls are used on this website. This function can be switched off by you through the settings of your Internet browser.

SSL encryption

To protect the security of your data during transmission, we use state-of-the-art encryption procedures (e.g. SSL) via HTTPS.

Search queries

Search queries are not stored beyond the regular logging (see above). However, to reduce the server's response times, queries can be cached (temporarily stored) in the server's main memory. The caching period is a maximum of one week.

Anonymous statistics

In order to recognise problems and to further improve the offer, anonymous statistics are collected when using the services. These do not allow any traceability to the persons using the services.

Cookies

Like many other websites, we also use so-called "cookies". Cookies are small text files that are stored on your end device (laptop, tablet, smartphone or similar) when you visit our website.

You can delete individual cookies or the entire cookie inventory. In addition, you will receive information and instructions on how to delete these cookies or block their storage in advance. Depending on the provider of your browser, you will find the necessary information under the following links:

Technically necessary cookies

Type and purpose of processing

We use cookies to make our website more user-friendly. Some elements of our website require that settings selected by the user are also available after a page change. The purpose of using technically necessary cookies is to make websites easier for users to use. Some functions of our website cannot be offered without the use of cookies.

We require cookies for the following applications:

  • Adoption of language settings
  • Acceptance of theme settings

This website uses these cookies solely for the purpose of storing language and theme settings. A corresponding, non-personal, cookie is only set when the default setting is changed.

Storage period

Cookies are not logged or stored on the server side. Therefore, tracking via cookies is not possible. In the browser, the storage period is one year.

C. Information on individual processing

Feedback

When contacting us via a feedback form, the user's details are processed for the purpose of handling the contact enquiry and its processing pursuant to Art. 6 Para. 1 lit. b) DSGVO. A traceability to the person is only possible insofar as personal data is contained in the sent text. In addition to the data provided by the user, the room about which feedback was given, the date and the time of the feedback creation are also sent. It is also stored whether the user wishes the transmitted data to be deleted after the feedback processing has been completed.

Recipient

The transmitted feedback is stored publicly accessible on GitHub as part of our commitment to transparency. This means that they are not technically limited to one group of people. The user is presented with an issue link to track the processing of the feedback. If the user has requested immediate deletion, this function can no longer be technically provided.

Provision mandatory or required

The provision of this non-personal data is voluntary.

During navigation, users can enter their current location as a starting point in addition to addresses or rooms. This is then transmitted to our server and the route is returned to the user. The location is not saved.

Receiver: During the calculation of the navigation route, our server has access to the route requested by the user. This information is then deleted again.

Provision prescribed or required: The provision of this personal data is voluntary.

Map - Location

While using the map, users can display their location on the map.

Recipients: The data is not transmitted to servers and is purely local.

Provision prescribed or required: There is no provision of this personal data.

Nearby public transport

On building/room detail pages, the user can expand a nearby public-transport stop to view its upcoming departures. Until the user explicitly expands a station, no request to a third-party server is made.

Recipient: The request goes directly from the user's browser to the Transitous public-transport API (https://api.transitous.org). NavigaTUM does not proxy these requests, does not see the response and does not store any data from this feature. The Transitous side logs the IP address, request time, requested URL and User-Agent for up to 2 days; the full Transitous privacy policy lists the deletion contact.

Provision prescribed or required: The provision of the stop identifier and the request itself is voluntary; if the user does not expand the section no data is sent to Transitous.

Learning-room availability

On building/area pages that have learning-room coverage, the "Learning rooms" section shows the current occupancy status of the learning rooms. Once this section is visible, the browser loads the status automatically and refreshes it roughly every 60 seconds; while the section is off-screen or the tab is in the background, the refresh pauses.

Recipient: The request goes directly from the user's browser to the Studentische Vertretung IRIS display (https://iris.asta.tum.de/api/). NavigaTUM does not proxy these requests, does not see the response and does not store any data from this feature. The request contains no NavigaTUM identifier and no indication of the building being viewed. How Studentische Vertretung IRIS, as the operator, processes these requests is described in its privacy policy.

Provision prescribed or required: The provision is voluntary; if the user does not open a building/area page that has learning-room coverage, or the section is not visible, no data is sent to the Studentische Vertretung IRIS display.