Data Protection Concept for the Radbonus App

As of 19.02.2026

Introduction

Purpose and Objective of the Data Protection Concept

The Radbonus app takes an unusual approach to data protection: it completely forgoes collecting identifying personal data. This data protection concept documents the technical and organizational measures that ensure a data-minimized and anonymous user experience. The goal is to consistently protect users' privacy while meeting legal requirements, especially the GDPR. The Radbonus app processes usage data without any link to identity. From the perspective of Radbonus GmbH as the controller, the data cannot be assigned to an identified or identifiable natural person (Recital 26 GDPR; relative personal reference according to CJEU C-413/23 P). Radbonus proactively complies with the GDPR principles.

Scope of the Data Protection Measures

This data protection concept applies to the entire Radbonus app as well as all associated server applications and services within the respective Partner World. It describes the collection, processing, storage, and protection of data in order to fully safeguard users' privacy. The concept is accepted by the user when entering the Partner World and applies for the entire duration of use within this Partner World.

Definitions and Terms

• Radbonus app: A mobile application for iOS and Android that lets users record their cycling activities without providing any identifying personal data and take part in Challenges.
• User: Any natural person who uses the Radbonus app.
• Data protection: The protection of personal data against misuse and unauthorized access.
• GDPR: The European Union's General Data Protection Regulation, which governs the protection of personal data.
• Personal data: Any information relating to an identified or identifiable natural person.
• Anonymous data: Data that does not relate to an identified or identifiable natural person, or that has been anonymized in such a way that the data subject can no longer be identified (cf. Recital 26 GDPR). Anonymous data does not fall within the scope of the GDPR.
• Identification number (Radbonus ID): A purely technical identifier generated using a random generator and created when the Radbonus app is installed. The ID has no connection to the device, the person, or any other identifying feature. It serves solely as a technical key for assigning usage data within the system. The records linked via the Radbonus ID do not themselves contain any personal data — the ID is therefore a key to anonymous data, not to a person.
• Partner World: A partner environment configured within the Radbonus app in which specific Challenges, Battles, and Missions are offered.
• High-security data centers: Data centers with high security standards in which the servers of Radbonus GmbH are operated.

---

Data protection approach

The Radbonus app follows a data protection approach that has no comparable counterpart in the field of employee fitness and bike-promoting apps:

• Data processing without identity reference: Radbonus processes usage data without knowing the users' identities. Neither the app nor the backend stores personal data such as name, address, email, or phone number. Technical assignment of usage data is carried out exclusively via a Radbonus ID generated by a random number generator, which has no connection to the user's device or person. There is no mapping table that allows a link between the ID and a natural person. The records linked via the ID do not contain any personal data themselves — the Radbonus ID is therefore a technical key to non-identity-based data, not to a person.
• Anonymous use: Users can use the app completely without providing identifying personal data. All data stored on the server is anonymous within the meaning of Recital 26 GDPR — there is no identity attribute, no mapping table, and no technical path that would allow a link between the records and a natural person.
• Local data processing: Geocoordinates and other sensitive data are processed exclusively locally on the user's device and then deleted. No location data is stored on the server.
• Secure server infrastructure: All data is stored on our own bare metal servers operated in Germany in highly secure data centers certified according to ISO/IEC 27001. No cloud services are used for storage.
• Encrypted communication: Data transfer between the app and the servers takes place over encrypted connections (SSL/TLS) to ensure the confidentiality and integrity of the data.

This data protection approach ensures that even in the event of a security issue, no identifiable personal data can be exposed, because such data is never collected or stored at any point. To the best of Radbonus GmbH's knowledge, this architecture is unmatched in the employee bike-promotion app market segment — comparable providers typically rely on account-based systems with email registration, GPS tracking, and third-party analytics.

---

Responsibilities

Data Protection Officer

The Data Protection Officer of Radbonus GmbH is Johannes Milczewski. He is responsible for monitoring and ensuring compliance with data protection regulations within the company. Johannes Milczewski has extensive expertise in data protection law and data security. He is the central contact person for all data protection-related questions and concerns.

Tasks of the Data Protection Officer

• Monitoring compliance with data protection regulations: Ensuring that all data protection requirements in accordance with the GDPR and other relevant laws are met. Regular review and updating of data protection policies and procedures.
• Advice and training: Advising management and employees on all data protection matters. Carrying out training sessions and awareness measures for employees regarding data protection and data security.
• Cooperation with the supervisory authority: Contact point for the data protection supervisory authority and support with inquiries or audits.
• Monitoring data processing processes: Regular review of data processing processes to ensure that the anonymity of usage data is maintained. Implementation and monitoring of technical and organizational measures to protect the data.
• Documentation and reporting: Maintaining a record of processing activities and preparing reports on data protection measures and their effectiveness. Documentation and proof of compliance with data protection requirements.

Responsible parties and contact information

Radbonus GmbH, represented by the managing directors Marius-Eugen Gerdan and Katharina Gerdan-Dörenhoff, is the responsible party for operating the Radbonus app. If you have any questions or concerns about data protection, you can contact the Data Protection Officer, Johannes Milczewski.

Contact information for the Data Protection Officer:

• Johannes Milczewski
• E-mail: privacy@radbonus.com
• Phone: +49 221 177 32 99 - 0

---

Data collection and processing

The Radbonus app allows users to record their cycling activities without any link to their identity. From the perspective of Radbonus GmbH as the controller, the usage data processed cannot be assigned to an identified or identifiable natural person. This concept ensures that users' privacy is protected at the architectural level — not through retroactive measures, but by refraining from collecting identifying data.

Types of data collected and how they are processed

Radbonus ID

• A purely technical identifier generated by a random number generator and created when the app is installed.
• The ID has no connection to the device, phone number, hardware identifiers, or any other identifying characteristics of the user. Neither Radbonus nor any third party maintains a mapping table that links the ID to a natural person.
• The Radbonus ID is a key to non-identifying data records: the data linked via the ID (distances, timestamps, Challenge participation, favorites) do not themselves contain any information that would allow a natural person to be identified. A stable identifier does allow the same profile to be recognized within the system (singling-out/linkability), but without identity data or linking characteristics it does not establish identifiability within the meaning of Recital 26.
• The ID can be used by the user to transfer their usage data to another device. This is comparable to a coat-check number: the holder can retrieve their data, but Radbonus GmbH never knows which natural person is behind a specific Radbonus ID.

Optional: Nickname

• Users can voluntarily set a nickname as their display identifier in public rankings. If no nickname is set, a heavily shortened fragment of the Radbonus ID (the first characters) is shown as a placeholder. In both cases, the display identifier is partner-world-specific and cannot be linked across different Partner Worlds.
• Active confirmation before entry: Before the input field is unlocked, the user is informed: "Your nickname is visible to other participants. Please choose a name that cannot be traced back to you — so no real name, no initials, no department, and no company name." The user must actively confirm: "I confirm that my nickname does not contain any personal data and cannot be traced back to me." This explicit confirmation documents that Radbonus has informed the user of the requirements and that the user takes responsibility for choosing a non-identifying nickname.
• Automated validation before storage: Before being saved, every nickname undergoes a two-stage automated check:Layer 1 — Rule-based pattern recognition: Detection and rejection of entries that structurally indicate personal data: email addresses (pattern: @.*), phone numbers (digit sequences of 7 or more characters), date formats and years in the range 1940–2015 (typical birth years), URLs, and social media handles (@ prefix).Layer 2 — AI-based semantic analysis (local LLM): A language model running locally on the Radbonus infrastructure checks the nickname for identifying content that cannot be reliably captured by rules alone. The model detects, among other things: full names and surname combinations (e.g. "KathiMueller", "ThomasB."), first names with identifying additions (e.g. "HR Kathi", "Sales Peter"), department and role descriptions (e.g. "TeamFinanceHR", "InternSummer2025"), initials combined with years or departments (e.g. "TK1990", "MK-Accounting"), location or branch names with a personal reference (e.g. "ColognePeter", "BranchHH-Lars"), as well as subtle combinations that could make identification possible in connection with a Partner World. No nickname entries are sent to external services. No usage data, no Radbonus ID, and no information about the Partner World are passed to the review model — the assessment is based solely on the nickname text itself.
• If a nickname is rejected, the user gets a prompt to choose a non-identifying nickname, with a specific hint about the type of issue detected (e.g. “Your nickname may contain a real name. Please choose a nickname that does not allow conclusions to be drawn about you.”). Rejected nicknames are not stored and are not logged — the check happens in real time, and if it is rejected, no data remains in the system. The automated check does not constitute an automated decision within the meaning of Art. 22 GDPR, because it has no legal effect and does not cause any significant impairment — only the choice of an optional convenience feature (display name) is affected, not access to the service or its functionality. Radbonus GmbH is aware that the AI-based analysis can lead both to false rejections (false positives) and to identifying nicknames that are not detected (false negatives). The system is deliberately calibrated conservatively (reject in case of doubt), because a wrongly rejected nickname merely prompts the user to choose again, while an identifying nickname that slips through would weaken the anonymity architecture. Detection quality is reviewed regularly and the model is recalibrated if needed. The check model is subject to documented model governance: every model version is versioned and validated against an internal test corpus before use, which includes both permitted nicknames and known patterns of identifying inputs. Changes to the model are logged and require approval by qualified employees. If a user believes that their nickname was wrongly rejected, they can request a manual review via the Data Protection Officer. During the manual review, only the proposed nickname text is assessed — no personal data of the user is collected or stored.
• The display identifier (nickname or shortened ID fragment) is partner-world-specific and cannot be linked across different Partner Worlds. It is stored server-side in relation to the Radbonus ID.

Optional: Device tokens (push notifications)

• Used for sending push notifications to the respective end device when the user expressly wants this.
• Enable communication with and informing users about new challenges and rewards.
• Technical implementation and data separation: Push notifications are sent via Firebase Cloud Messaging (FCM). The device tokens used for this are technical delivery identifiers that serve solely to transport the message to the end device. Device tokens are encrypted on Radbonus servers and stored strictly separately from the other usage data (distances, timestamps, Challenge participations). The push payloads contain only generic notifications identical for all recipients and with no personal reference — for example: „Competition X starts", „Only 3 days left until the end of the Challenge", „You won!". No user-specific content, Radbonus IDs, performance data, event IDs, profile data, or any other information that could enable profiling or identification is transmitted via FCM. Compliance with this restriction is enforced server-side by the notification logic: push messages are sent exclusively through predefined message templates that do not allow any dynamic user-related data content.
• Data protection classification: Radbonus GmbH treats device tokens, as part of its precautionary GDPR compliance approach, as potentially personally identifiable online identifiers within the meaning of Recital 30 GDPR, even though from the solely decisive perspective of Radbonus as controller (cf. CJEU C-413/23 P) there are no means whatsoever to assign a device token to a natural person. By this precautionary classification, Radbonus ensures that even under a strict supervisory authority assessment, all data protection requirements are met.
• Legal basis: The processing of device tokens is carried out solely on the basis of the user's explicit consent (Art. 6(1)(a) GDPR). Consent is obtained via the operating system's built-in permission dialog (iOS/Android) and can be withdrawn at any time.
• Processor role: In the context of FCM, Google acts as a processor pursuant to Art. 28 GDPR. Processing takes place on the basis of the Firebase Data Processing and Security Terms, which contractually prohibit Google from combining Customer Data with personal information from its own interactions with the user or from third parties. As the operator of the FCM infrastructure, Google does have the technical platform on which device tokens are generated and processed. However, correlating FCM tokens with Google accounts for the purpose of identifying Radbonus users does not constitute a means likely to be used in a reasonable manner within the meaning of Recital 26 GDPR — this follows both from the contractual commitment (Art. 28 GDPR), the explicit prohibition on combining data in the Firebase contractual terms, and the lack of any data protection legal basis and legitimate interest on Google’s part.
• International data transfer: To the extent that FCM involves processing device tokens on servers outside the EEA, this is carried out on the basis of Google’s Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and Google LLC’s certification under the EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR. Radbonus GmbH has additionally carried out a Transfer Impact Assessment (TIA), which confirms the adequacy of the level of protection taking into account the nature of the data transmitted (generic device tokens without personal reference from Radbonus’s point of view), the contractual safeguards, and the legal situation in the third country.
• Retention period: Device tokens are stored in encrypted form on the server for as long as the user has push notifications enabled. If consent is deactivated or withdrawn, the device token is deleted immediately and irreversibly. Inactive tokens are automatically cleaned up at regular intervals.
• Radbonus has no knowledge of whether a stored device token is still active or valid. The tokens serve solely as a technical transport path and do not constitute an identifying feature for Radbonus.
• The push service can be disabled at any time in the Radbonus app or via the operating system settings.

App and operating system information

• Information about the app version in use, the operating system, and its version.
• Helps with optimizing and troubleshooting the app.
• This technical data supports the continuous improvement of the user experience without compromising privacy.

Distances ridden

• Information about the distances ridden, including start and end times.
• This data is assigned to the corresponding challenges, battles, and missions.
• It is stored anonymously with respect to the Radbonus ID.

Bike type

• The type of bike used (e.g. MTB, BMX).
• This information is used for better analysis and to adapt app features.
• It is stored anonymously with respect to the Radbonus ID.

Optional: Membership in a team

• When taking part in team activities, team membership can be specified.
• This information is used for the team ranking.
• To rule out the theoretical risk of re-identification through inference in small groups, no Team Battles are intentionally offered in which small, potentially identifiable teams (e.g. 2–3 people) could form. Team activities are designed so that individuals within a team cannot be identified based on their activity patterns.
• It is stored anonymously with respect to the Radbonus ID.

Membership in a Partner World

• Information about whether the user is assigned to a specific Partner World.
• Used to take part in special partner campaigns and challenges.
• It is stored anonymously with respect to the Radbonus ID.

Favorites

• Users can save challenges as favorites.
• It is stored anonymously with respect to the Radbonus ID.

Prize winnings

• Information about whether users have won a prize and whether they declined or accepted it.
• It is stored anonymously with respect to the Radbonus ID.

Data not stored

The Radbonus app deliberately does not store any data that could identify a person. This includes:

• IP address: Radbonus does not store, log, or analyze users’ IP addresses at any time. Processing of IP addresses in connection with the Radbonus infrastructure can be divided into three clearly separate layers:Layer 1 — Transport route (telecommunications providers): The transport route of an HTTP request from the user’s end device to the data center passes through the infrastructure of telecommunications providers and internet exchange points. Any processing of IP addresses that occurs there (routing, packet forwarding) is carried out by the respective network operators within the scope of their own responsibility under the TKG and the GDPR. Radbonus is neither the controller nor the processor for this transport route.Layer 2 — Load balancer (Hetzner Online GmbH): The backend infrastructure of the Radbonus app uses the load balancer service of Hetzner Online GmbH in Frankfurt am Main as a managed service. The load balancer terminates the incoming TCP/TLS connection and forwards the request to the Radbonus application servers behind it. In doing so, the load balancer necessarily processes the user’s IP address at network level — this is an inherent part of any TCP/IP communication. Radbonus does not operate the load balancer itself and has neither administrative access to its configuration nor to any connection data or logs that may arise there. A Data Processing Agreement pursuant to Art. 28 GDPR exists with Hetzner Online GmbH. As a German data center operator, Hetzner is directly subject to the GDPR. Defense against network-based attacks (DDoS protection, volumetric attacks) is also provided by Hetzner at this layer before the traffic reaches the Radbonus application layer.Layer 3 — Radbonus application servers (backend): The Radbonus application servers are located behind the load balancer service. Forwarding of the original client IP via HTTP header (e.g. X-Forwarded-For) is disabled on the Hetzner load balancers. The backend servers therefore receive the user’s IP address with no request — neither as connection information nor in HTTP headers. The user’s IP address is not technically available at application level. In addition, the application logic does not use IP addresses for authentication, rate limiting, geolocation, logging, or any other purpose. There is no code path in the Radbonus application that accesses or processes IP information.Summary: A user’s IP address is necessarily processed on the transport route and at the load balancer’s network level — this is the case with any TCP/IP communication and is outside Radbonus’ sphere of influence. Forwarding the client IP to the backend servers via X-Forwarded-For is disabled on the load balancers. At the application layer, which is fully under Radbonus’ control, the user’s IP address is therefore technically unavailable and no processing takes place. Linking IP addresses with Radbonus IDs or usage data is not possible either at the network level (Hetzner has no connection to Radbonus IDs) or at the application level (IPs are not available). Security monitoring of the Radbonus systems takes place exclusively at the application level and does not depend on IP addresses (see section “Technical and organizational security measures").
• Geo coordinates of the routes ridden: Used exclusively locally on the end device to calculate the route and then deleted. No location data is stored server-side.
• Name, address, email, phone numbers: Such personal data is not collected or stored.

Purpose of data collection and processing

The collected data is used exclusively to operate the Radbonus app. This includes improving the user experience, providing content, and taking part in Challenges, Battles, and Missions. Since usage data is collected without any link to identity, the Radbonus app ensures that users’ privacy is always protected.

Prize winnings

If a user wins a prize, prize handling is carried out entirely outside the Radbonus app and without Radbonus collecting any personal data. The app simply shows the user the prize. Redemption takes place via mechanisms provided by the partner, such as voucher codes, which are displayed directly in the app and do not require any personal data to be entered. No personal data is stored in connection with prize handling, either in the app or on the servers of Radbonus GmbH.

---

Legal bases and classification of data processing

Classification of the processed data

The Radbonus app processes only usage data, which is to be classified as anonymous data within the meaning of Recital 26 of the GDPR. The following analysis substantiates this classification.

Assessment standard: Recital 26 GDPR

Under Recital 26 GDPR, the principles of data protection do not apply to anonymous information — i.e. information that does not relate to an identified or identifiable natural person. To determine whether a person is identifiable, account must be taken of all means reasonably likely to be used to identify the natural person directly or indirectly. In doing so, all objective factors must be considered, in particular the costs of identification and the time required for it, the technology available at the time of processing, and technological developments.

Current case law: CJEU C-413/23 P of September 4, 2025 (Relative personal reference)

In its judgment of September 4, 2025 in EDPS v Single Resolution Board (C-413/23 P), the Court of Justice of the European Union confirmed and clarified key principles for classifying data as personal or anonymous:

• Relative personal reference: Whether data is personal is determined solely from the perspective of the relevant controller. The same data can be personal for one controller and anonymous for another (paras. 75, 76, 86).
• Pseudonymous data can be anonymous: Pseudonymized data is to be regarded as anonymous for a recipient who has no legal or factual means of re-identification. The mere existence of additional information with another actor does not mean the data is personal for every recipient (para. 82).
• Decisive factor: realistic means of re-identification. What matters is not the theoretical possibility of attribution, but whether the relevant controller has means reasonably likely to be used to assign the data to a specific person.

This case law directly supports classifying Radbonus usage data as anonymous: Radbonus has no means whatsoever — neither legal nor factual — to assign the Radbonus ID to a natural person. There is no key, no mapping table, and no technical path to re-identification. From the only relevant perspective, that of Radbonus as controller, the data is anonymous.

Distinction from cookie IDs and online identifiers

Randomly generated identifiers (e.g. cookie IDs, tracking IDs) can, according to the established case law of the CJEU, constitute personal data if they can be linked with additional information in order to recognize users or create profiles (cf. CJEU C-673/17 „Planet49", para. 45 ff.; Recital 30 GDPR). The decisive factor is not the randomness of the identifier, but the possibility of assigning it to a natural person.

The Radbonus ID differs from the typical cookie/tracking ID scenario in several key respects:

• No account data: There are no email addresses, names, or any other identifying account information that the Radbonus ID could be combined with.
• No device linkage: The Radbonus ID is not derived from device identifiers and is not linked to them. There is no technical connection between the ID and the IDFA/GAID, MAC address, or other hardware identifiers.
• No cross-service tracking: The Radbonus ID is used exclusively within the Radbonus app. It is not shared with ad networks, analytics services, or any other third parties that could enable cross-service profiling.
• No location data: No GPS coordinates are stored on the server side that could, in combination with the ID, produce an identifying movement profile.
• No IP address processing at application level: The forwarding of the client IP via X-Forwarded-For is disabled on the Hetzner load balancers. The Radbonus application servers receive the user's IP address neither as connection information nor in HTTP headers. In addition, there is no code path in the application that accesses IP information. The unavoidable processing of IPs at network level (load balancer, transport path) is documented in the section „Data Not Stored".

While cookie IDs typically operate in an ecosystem in which account data, device identifiers, location data, and third-party networks make linkage possible, all of these points of connection are absent in the Radbonus system. The mere existence of a randomly generated identifier does not by itself create a personal data relationship — it is the possible links that make the difference under data protection law.

Analysis: Why the processed data is anonymous

The central question is: Can a natural person be identified via the Radbonus ID or the data records linked to it — by Radbonus, by partners, or by third parties?

The Radbonus ID is a key to anonymous data, not to a person:

The Radbonus ID is generated using a random generator. It has no connection to the device, phone number, hardware identifiers, third-party accounts, or any other identifying features. Neither Radbonus nor any third party has a mapping table that would make it possible to link the ID to a natural person. The records linked via the ID contain usage data without any identity reference: distances ridden, timestamps, Challenge participation, bike type, favorites, and reward information. None of these data fields contains personal information. Radbonus does not have any additional information that would make it possible to assign the data to a natural person. A technical key that refers to non-identity-based records and for which no linkability exists does not establish a personal data reference within the meaning of Recital 26 — neither the key itself nor the data linked to it become personal data by virtue of the existence of the key.

Distinction from pseudonymization:

Pseudonymization within the meaning of Art. 4 No. 5 GDPR exists when personal data are processed in such a way that they can no longer be assigned to a specific person without the use of additional information — with that additional information being kept separately. In the case of the Radbonus app, however, no such "additional information" exists: There is no mapping table, no mapping, no database, and no technical path that creates a connection between the Radbonus ID and a natural person. The Radbonus ID does not replace a previously known identity — it was never linked to an identity.

On the topic of "singling out":

Singling out and linkability are technical properties of stable identifiers. For the data protection assessment, what matters is whether, taking into account means likely to be used by a reasonable person, assignment to a natural person is possible (Recital 26 GDPR).

Recital 26 GDPR names singling out as one factor in assessing whether data can be assigned to a natural person. Singling out describes the ability to isolate an individual record in a database and distinguish it from other records. In the Radbonus system, there is no point of linkage for this: no identity data, no location data, and no IP addresses are processed at application level; partners and other users see only aggregated kilometer totals without time or event details. In detail:

Singling Out is a risk factor, but without an identity bridge it is not enough. The Article 29 Working Party (WP 216) distinguishes three criteria for assessing anonymization methods: Singling Out, Linkability, and Inference. In the Radbonus system, Singling Out is technically possible (the Radbonus ID makes it possible to isolate a data record), and Linkability within the system is given (records with the same ID can be linked to one another). However, there is no realistic way to determine a natural person from this. What matters is not mere isolatability, but whether the isolated data record can be assigned to a natural person — directly or indirectly, by the controller or by third parties using means likely to be used according to general reasonableness.

The Radbonus records contain no identifying data fields. An isolated Radbonus record contains: a randomly generated ID, a distance in kilometers, a timestamp, and, if applicable, Challenge participation. None of these fields identifies a person. The timestamp documents when a distance was reported to the system — not when or where a ride started or ended. The distance describes a route without a start or end point, without a route, without any geographic reference. 12.3 km can be any route between any points. Without geographic location, movement data lacks the feature that makes it identifiable: spatial context. A commuter who rides 15 km every day is not distinguishable from hundreds of thousands of other people who also ride 15 km from the Radbonus data.

The often-cited scenario “only one person rides 40 km at night” assumes knowledge that neither Radbonus nor the partner has. To infer a specific person from the record “random ID XYZ, 40 km, 23:15” an attacker would need access to two sources of information at the same time: (1) access to Radbonus’ individual usage data (timestamp, distance per user) and (2) external contextual knowledge about the members of the relevant Partner World (who rides when and how far). Radbonus’ architecture ensures that these two sources of information never come together in the hands of any one actor: Radbonus has the individual usage data, but knows neither the identity nor the habits of the partner’s employees. The partner knows its employees, but receives from Radbonus only aggregated total kilometers — no individual timestamps, no distances per ride, no activity patterns of individual users (see section “Data Protection Role of the Partners”). Even a person who were both a Radbonus employee and a partner employee would have no access to the individualized usage data of other Radbonus IDs.

Linkability fails because there are no linking points. Linking Radbonus records with external data sources (fitness apps, time tracking systems, social media) would require a shared identifier — an email address, a device ID, an IP address, a location. None of these linking points exist in the Radbonus data. The Radbonus ID is randomly generated and has no connection to devices, accounts, or people. Without a shared key, systematic linking with external data sources is not possible.

On the residual risk from inference in edge cases:

Radbonus acknowledges that in theoretical extreme cases — for example, in a Partner World with a very small single-digit number of participants — the ratio of known participants to records could make narrowing down possible. However, for several reasons this residual risk is not a means likely to be used according to reasonable judgment within the meaning of Recital 26: It requires combining external contextual knowledge with individualized usage data, which, for architectural reasons, never come together in the hands of any one actor. It presupposes an active interest in identifying individual cyclists, for which no economic or other motive is apparent. And even in the extreme case, it remains probabilistic — a distance of 40 km does not allow a certain conclusion, since other users may also have ridden the same distance on the same day.

This theoretical residual risk does not change the legal classification of the data as anonymous from Radbonus’ perspective as controller (cf. CJEU C-413/23 P on relative anonymity), but it does justify the additional protective measures documented below: AI-based nickname validation by a local language model with active user confirmation, the deliberate choice not to run Team Battles with small groups, the exclusive sharing of aggregated statistics with partners, the double protection barrier between contextual knowledge and individual data, the precautionary observance of GDPR standards as an additional protection framework, and the following operational small-world protective measures:

Operational small-world controls (architectural inference barriers):

• Minimum number of participants for rankings: Public leaderboards within a Partner World are only shown once there are at least 15 active users. Below this threshold, users see only their own data — no display identifiers and no kilometers from other participants. This measure eliminates the attack vector "small group + contextual knowledge" through architecture, not argument.
• Kilometer rounding (binning): In the ranking display, total kilometers are rounded to whole kilometers. Precise distance values (e.g. 12.37 km) are accessible only to the user himself in his app. Rounding reduces the distinctiveness of individual data points and makes it harder to identify someone based on conspicuous patterns.
• Delayed ranking update (delay): The ranking display is not updated in real time, but at defined intervals (e.g. daily). This means there is no time correlation between an observed ride and a ranking change — a colleague cannot say: "The Meerkat's mileage just went up, so that must have been Thomas who just arrived."
• No visibility of individual events to third parties: Neither partners nor other users see individual ride events, timestamps, distances per ride, or activity patterns. The only information visible to third parties is a rounded, delayed total mileage.

These measures ensure that even in the theoretical extreme case of small Partner Worlds, the data points required for an inference are not available architecturally. Anonymity is not just argued for, but technically enforced.

On profile transfer:

The Radbonus ID can be used by the user to transfer his usage data to another device. The fact that a user knows his own ID and can retrieve his own data does not create a personal reference from the perspective of the controller (Radbonus). What matters is the perspective of the controller and the question of whether that controller — or a third party using means reasonably likely to be used under ordinary circumstances — can make an attribution. Radbonus cannot do that. The situation is comparable to a cloakroom ticket number: the holder can collect his item, but the cloakroom operator does not know which person has which number.

On the "all means reasonably likely to be used" test (Recital 26) — scenario analysis:

The key question under Recital 26 GDPR is: Who has which information — and can a natural person be identified from it using means reasonably likely to be used under ordinary circumstances? Radbonus GmbH examined this question across all relevant actors:

Scenario 1 — Radbonus itself (controller): Radbonus has: Radbonus ID, start times, end times, duration, total km, optional nickname, challenge participation. Radbonus does not have: names, addresses, email, phone numbers, location data, IP addresses (X-Forwarded-For is disabled), device IDs, mapping tables. Radbonus knows neither the users' identities nor the internal structures, employees, or organizational processes of the partner companies. There is no identity attribute and no internal or external mapping source. Radbonus can recognize a usage profile internally (linkability), but cannot identify a natural person. Assessment: No identifiability from the controller's point of view. This is legally strong because the CJEU explicitly refers to the perspective of the respective controller (C-413/23 P).

Scenario 2 — External data leak (leak scenario): In the event of a hypothetical leak of the ranking display, only the following would be affected: display identifiers (truncated ID fragments or validated nicknames) and aggregated total kilometers. An external third party receiving this data has: no company context, no internal knowledge of employees, no riding habits, no mapping table. For example, they see: "Meerkatze — 1,800 km in May". They can: verify nothing, identify no real person, combine no additional data source in any meaningful way. Because there are no identity or linking data, assignment to natural persons is not possible for external third parties; the risk to the rights and freedoms of natural persons is correspondingly low. Assessment: Not identifiable to the outside world. An assessment under Art. 33/34 GDPR is still carried out as a precaution insofar as device tokens (push) could be affected (see section "Measures in the Event of Security Incidents").

Scenario 3 — Partner company (organizational level): According to the architecture, partners receive: aggregated world kilometers, participant counts, challenge completion rates. Partners do not receive: identifiers, individual kilometers, timestamps, Radbonus IDs, individual activity patterns. The partner does have contextual knowledge about its employees, but lacks all individual data. It cannot say: "This employee rode 1,800 km." It only sees: "12,400 km total in the world." Assessment: The partner cannot identify a single person because it lacks individual data.

Scenario 4 — Other users within the Partner World (colleague level): Other users see in the ranking: display identifier (nickname or shortened ID fragment) and rounded total kilometers in the competition period — but only once a minimum of 15 active users has been reached in the respective Partner World. Below this threshold, no rankings are shown. They do not see: start times, end times, duration, individual events, raw data. Individual ride times and data are accessible exclusively to the respective user in their app and are not displayed in any form visible to other users, partners, or Radbonus.

Typical attack vector in the data protection assessment: “A colleague knows that only one person on the team rides a bike every morning at 5:30 a.m. — they see the time in the ranking and can identify the person.” This vector is architecturally excluded in the Radbonus system: the ranking shows only a display identifier and an aggregated total kilometers figure for the competition period. Start times, end times, times of day, ride duration, individual distances, and activity patterns are never shown to other users in any form at any time. A colleague sees “Meerkatze — 1,800 km in May.” They do not see: “Meerkatze — 12.3 km, 5:32 a.m., duration 38 min.” The time-based behavior recognition that typically gives rise to re-identification scenarios fails because of the architecture — not because of an assessment decision, but because the data required for it is not available.

What remains is just the kilometer total: A colleague might guess “That’s probably Thomas, he rides a lot.” But: they have no access to raw data. They cannot verify their guess. They only see a display identifier and a single number (total km). Nicknames also undergo AI-supported validation (local LLM), which detects and rejects identifying content — so the nickname itself does not provide a reliable basis for identification. It remains a social guess based on a single, non-distinctive metric.

Assessment: Identifiability within the meaning of Recital 26 requires more than a speculative assumption. It needs a realistic, reliable assignment possibility based on means that are, in general, likely to be used according to objective judgment. If the data typically required for behavioral attribution (times, patterns, individual events) is not architecturally available and the only visible information is an aggregated kilometer total, then there is no basis for identification — it remains a guess, not an identification.

Scenario 5 — Combination of multiple data sources: Re-identification by combining external data sources (fitness apps, time tracking systems, social media) would require a shared identifier (email, device ID, IP address, location). None of these linking points exist in the Radbonus data. The Radbonus ID is randomly generated and has no connection to devices, accounts, or people. IP addresses are not available on the backend servers (X-Forwarded-For is disabled). Location data is never stored server-side. Without a common key, any systematic linking fails. The data stored server-side (distances, timestamps, bike type) do not form a sufficiently specific profile for re-identification: a distance describes neither the start nor the end point, and a timestamp documents the reporting time — not when or where a ride took place. Without geographical context, these data points lack the property that makes movement data identifiable: spatial context. 12.3 km could be any route whatsoever. Assessment: The “bridge” is missing. Without a bridge, every profile remains isolated.

Summary risk differentiation:

The key finding from the scenario analysis: there is no actor who simultaneously has contextual knowledge, verifiable individual data, and a linking feature.

• Radbonus: Has individual data — has no contextual knowledge — has no linking feature → not identifiable.
• External third party (leak): Has display identifier + total km — has no contextual knowledge — has no linking feature → not identifiable.
• Partner: Has contextual knowledge — has no individual data — has no linking feature → not identifiable.
• Colleague in a small Partner World: Has contextual knowledge — sees total km (partially) — has no linking feature → at best speculative, not verifiable.
• Third parties (Apple, Google, Firebase): The Radbonus ID is never transmitted to Google or any other third party. As the operator of the FCM infrastructure, Google has no connection to the Radbonus ID or to the usage data linked via this ID. Correlating FCM tokens with Google accounts for the purpose of identifying Radbonus users is contractually prohibited (Firebase Data Processing and Security Terms, Art. 28 GDPR), is not covered under data protection law, and does not constitute a means likely to be used by reasonable means (cf. CJEU C-413/23 P, para. 82). The same applies to Apple as the APNs operator on iOS devices.

The central protective barrier is that no actor has both contextual knowledge and verifiable individual raw data. Identifying a natural person would require one actor to have access at the same time to individualized usage data and identity-related contextual knowledge, and to be able to link that information. No such constellation exists in the Radbonus system.

Radbonus processes usage data without any personal reference; what third parties can see is only a non-identifying display identifier with aggregated mileage totals. Start/end times and duration are accessible only to the respective user. Partners do not receive any individual data.

Precautionary compliance with GDPR standards

The above analysis shows that the processed usage data is to be classified as anonymous data within the meaning of Recital 26 GDPR. Regardless of this classification, Radbonus GmbH has decided to comply with the key GDPR standards and principles as a precaution. This includes in particular:

• Granting users rights of access, rectification, and erasure (see section „Users' rights")
• Compliance with the principles of data minimization and purpose limitation
• Implementation of technical and organizational security measures in line with the state of the art
• Appointment of a data protection officer
• Regular review and documentation of data processing activities
• Precautionary maintenance of a record of processing activities

This precautionary self-commitment ensures that the protection of user data is guaranteed at the documented level, regardless of the legal classification.

Data Protection Impact Assessment (DPIA) — Threshold Test

Radbonus GmbH has checked whether a Data Protection Impact Assessment under Art. 35 GDPR is required. A DPIA is mandatory if processing is likely to result in a high risk to the rights and freedoms of natural persons, especially in cases of systematic monitoring, profiling, or large-scale processing of special categories of data.

Result of the threshold test: A DPIA is not required. This is due to the following reasons:

• No personal data: Based on the analysis set out here, the usage data processed is to be classified as anonymous. The GDPR, and therefore Art. 35, does not apply to anonymous data (Recital 26).
• No systematic monitoring: Location data is processed only locally on the end device and is never stored on the server side. There is no behavioral monitoring.
• No profiling: The data stored on the server side (distances, timestamps, Challenge participation) is not evaluated for profiling purposes. There is no automated decision-making with legal or similarly significant effects.
• No special categories of data: Health data, biometric data, or other data under Art. 9 GDPR are not collected.
• FCM tokens as a special case: The device tokens treated as potentially personally identifiable as a precaution are used exclusively to deliver generic notifications. The scope, nature, and purpose of this processing do not create a high risk.

Supporting consideration: Data Protection Impact Assessment (DPIA-Light) in the event of assumed personal data status

Even under the most conservative assumption that all usage data should be classified as personal data, Radbonus GmbH carried out a simplified impact assessment. The result confirms: Even if personal data status is assumed, there is no high risk to the rights and freedoms of natural persons.

Risk	Likelihood	Severity	Countermeasure	Residual risk
Re-identification by Radbonus (Controller)	Very low — no identity data, no mapping table, no contextual knowledge	Low — data without sensitive character	Architectural separation: Radbonus knows neither the users’ identities nor their company structure	Negligible
Re-identification by partner	Very low — partners receive only aggregated statistics	Low — no individual data available	Double protection barrier: partner has contextual knowledge, but no individual data	Negligible
Inference by colleagues in a small Partner World	Low — only rounded total km visible, no times/patterns	Low — suspicion remains speculative and unverified	Minimum participant count (15) for rankings, km rounding, delayed updates, LLM nickname validation	Negligible
Device token leak (push)	Low — tokens encrypted and stored separately	Low — token cannot be assigned without Radbonus ID	Encryption, separate storage, invalidation in case of incident, Art. 33/34 assessment	Low
External data leak (ranking data leak)	Low — bare-metal servers, ISO 27001, no cloud hosting	Very low — only display identifiers + rounded total km	Pen tests (quarterly), access controls, encryption, no identity attribute in the data	Negligible
Combination with external data sources	Very low — no shared identifier (no email, no device ID, no IP, no GPS)	Low — without a link point, no systematic combination is possible	No third-party APIs, no tracking, no account data, no location data server-side	Negligible

Result of the DPIA-Light: No identified risk reaches the threshold of “high risk” within the meaning of Art. 35 GDPR. The technical and organizational measures implemented reduce all residual risks to a negligible level. A full DPIA under Art. 35 is therefore not required, even if a personal reference is assumed. This simplified impact assessment is kept as documented proof of the risk assessment.

Regardless of this assessment, the protective measures documented in this concept — especially privacy by design, data minimization, and precautionary GDPR compliance — are retained as risk minimization.

Retention periods and data lifecycle

Because the Radbonus app processes usage data without any link to a person’s identity (with the exception of device tokens, which are treated as potentially personally identifiable as a precaution), the stored data is not subject to any deletion obligation under data protection law. Anonymous data do not fall within the scope of the GDPR and are not covered by the principles of storage limitation (Art. 5(1)(e) GDPR).

Even so, Radbonus GmbH follows a clear data retention strategy:

• Usage data (distances, timestamps, Challenge participations, favorites): Stored for as long as active use continues. Radbonus IDs and associated records with no activity for more than 24 months (no ride, no Challenge participation, no app interaction) are automatically deleted. After a Partner World ends, the data are retained for results documentation and deleted once the contractual retention obligation toward the partner expires.
• Device tokens: Deleted immediately as soon as the user disables push notifications or withdraws consent. Inactive tokens are regularly cleaned up automatically (see section „Device-Tokens").
• Nicknames and optional details: Deleted immediately when the usage profile is deactivated.
• Backups: Encrypted backups are created on a regular cycle. Backup retention is 6 months; older backups are automatically overwritten. Since backups do not contain identity-related data, rolling backup retention does not create any data protection risk either.

Retention overview:

Data category	Storage location	Purpose	Standard retention	Deletion trigger
Radbonus ID + usage data (distances, timestamps, Challenge participations, favorites, bike type)	Radbonus bare-metal servers (Frankfurt)	Service delivery, Challenge execution	Duration of active use	24 months of inactivity; user deactivation; end of Partner World + contractual retention period
Nickname	Radbonus bare-metal servers (Frankfurt)	Display name in the ranking	Duration of active use	Deactivation of the usage profile; change/removal by user
Device token (push)	Radbonus bare-metal servers (Frankfurt), encrypted + separated	Push notification delivery	As long as consent is active	Withdrawal of consent; deactivation in app/OS; inactivity cleanup
App/OS version	Radbonus bare-metal servers (Frankfurt)	Troubleshooting, compatibility	Duration of active use	24 months of inactivity
Backups (encrypted)	Radbonus bare-metal servers (Frankfurt)	Disaster recovery	6 months rolling	Automatic overwrite after 6 months

The fact that no legally defined retention periods apply to anonymous data is not a shortcoming, but the logical consequence of anonymization: where there is no personal reference, there is also no obligation to delete. The Radbonus GmbH's precautionary data retention strategy goes beyond what is legally required and ensures that anonymous data is not kept any longer than necessary.

Subprocessing (Subprocessor)

The Radbonus app is operated entirely on its own infrastructure. Data processing takes place on bare-metal servers operated by Radbonus GmbH itself in Germany. No cloud services, external databases, or third-party APIs are used to process usage data.

The following external services are used in connection with the operation of the Radbonus app:

• Hetzner Online GmbH (infrastructure): Data center operator and provider of the load balancer service. Hetzner provides the physical server infrastructure and the upstream load-balancing service. The bare-metal servers are administered by Radbonus itself; Hetzner has no access to application data. For the load balancer service through which user requests are routed, there is a Data Processing Agreement pursuant to Art. 28 GDPR. Hetzner operates data centers in Germany and Finland; the servers used by Radbonus are located exclusively in Frankfurt am Main. No transfer to a third country takes place.
• Firebase Cloud Messaging / Google (push notifications): Google acts as a processor pursuant to Art. 28 GDPR on the basis of the Firebase Data Processing and Security Terms. FCM is used exclusively for the optional sending of generic push notifications. The data protection classification, legal basis, transfer mechanisms, and retention period of the device tokens processed in this context are documented in detail in the section "Device-Tokens (Push Notifications)".
• Apple Push Notification Service / APNs (iOS delivery): On iOS devices, Firebase Cloud Messaging routes the delivery of push notifications internally via the Apple Push Notification Service (APNs). Apple processes the device-specific APNs token as a technical delivery identifier in this process. In this function, Apple acts as Google's subprocessor within the FCM infrastructure. The Apple Media Services Terms of Service and the Apple Privacy Policy apply. The Radbonus ID, usage data, or any other Radbonus-specific information is never transmitted to Apple. The push payloads contain only generic notifications without personal reference (see section "Device-Tokens").

Beyond that, there are no subprocessing relationships. In particular, no third-party analytics, tracking, advertising, or marketing services are used.

Measures to ensure anonymity

Radbonus GmbH uses the following technical and organizational measures to permanently ensure the anonymity of the processed data:

• Randomly generated Radbonus ID without personal reference: The Radbonus ID is generated using a random generator and has no connection to the device, phone number, hardware identifiers, or any other identifying features of the user. No mapping table exists.
• Anonymous data records without an identity bridge: All data records linked via the Radbonus ID contain no personal information. The combination of ID and usage data (distances, timestamps, Challenge participation) does not create a personal profile, as no identity attribute and no linking feature to a natural person exists.
• No storage of location data: Geocoordinates are processed exclusively locally on the end device and are deleted immediately after distance calculation. No location data is stored on the server side.
• Nickname validation via local LLM: Before a nickname is stored, a two-stage automated check is performed: rule-based pattern recognition (email addresses, phone numbers, birth years, URLs) as well as AI-supported semantic analysis by a language model operated locally on the Radbonus infrastructure, which detects real names, department names, role names, combinations of initials, and subtle identification patterns (e.g. „HR Kathi", „Sales Peter", „TK1990"). The input requires the user's active confirmation that the nickname does not contain any personal data. The language model runs locally; no nickname inputs are transmitted to external services (details in the section „Data collection").
• No collection of personal data during prize processing: Prize processing takes place without the user providing any personal data to Radbonus.
• Architectural non-processing of IP data: The Radbonus application servers are located behind the load balancer service of Hetzner Online GmbH (location Frankfurt am Main). The load balancer necessarily processes IP addresses at the network level (TCP/IP communication). Forwarding of the client IP via X-Forwarded-For is disabled — the backend servers receive the user's IP address neither as connection information nor in HTTP headers. A Data Processing Agreement pursuant to Art. 28 GDPR exists with Hetzner. The transport path from the end device to the data center lies within the responsibility of the respective telecommunications providers. A link between IP addresses and Radbonus IDs is not possible either at the network level (Hetzner has no connection to Radbonus IDs) or at the application level (IPs are not available).
• Operational small-world controls: Public leaderboards are only shown once there are at least 15 active users. Kilometers are rounded to whole numbers in the ranking display. The ranking is updated at defined intervals, not in real time. These measures eliminate the attack vector “small group + contextual knowledge” at the architectural level (details in the section “Operational Small-World Controls”).
• Regular anonymity assessment: Radbonus GmbH regularly checks whether the processed data can still be classified as anonymous, taking current technological developments and case law into account.

Legal bases for data processing

Although the core data in the Radbonus system are to be classified as anonymous based on the analysis set out here, and the GDPR therefore does not apply, Radbonus assigns the processing activities to the following legal bases as a precaution:

Performance of a contract / service provision (Art. 6 para. 1 lit. b GDPR by analogy): The following data processing activities are functionally necessary to provide the Radbonus service within the respective Partner World:

• Recording distances and timestamps for Challenge participation
• Membership in a team for team activities
• Saving Challenges as favorites
• Providing a bike type to take part in bike-type-specific Challenges

These processing activities do not require separate consent, as they directly serve the provision of the service.

Consent (Art. 6 para. 1 lit. a GDPR): For processing that goes beyond the core functionality and potentially concerns personally identifiable data, explicit consent is obtained:

• Push notifications via Firebase Cloud Messaging (consent via the operating system permission dialog)
• Voluntary provision of a nickname for public rankings (requires active confirmation and multi-step validation)

These consents can be withdrawn at any time — for push notifications by disabling them in the device settings, for nicknames by changing or removing them in the user profile.

Classification under Section 25 TTDSG (access to terminal equipment)

Storing the Radbonus ID on the user's device is strictly necessary within the meaning of Section 25(2) No. 2 TTDSG, because without this identifier the assignment of the user's usage data to Challenges and Battles, as expressly desired by the user, would not be technically possible — consent is not required for this. The collection of location data for local distance calculation takes place via the operating system's own location permission (iOS/Android) and is actively granted by the user. The storage of device tokens for push notifications is based on the user's explicit consent (Section 25(1) TTDSG in conjunction with Art. 6 para. 1 lit. a GDPR).

Information Obligations — Privacy Notice Mapping (Art. 13/14 GDPR by analogy)

Although Radbonus GmbH classifies the core data as anonymous and Art. 13/14 GDPR does not apply to anonymous data, the following overview provides, as a precaution, the transparency information that would be required if personal data were assumed:

Required information (Art. 13 GDPR)	Implementation
Controller (para. 1 lit. a)	Radbonus GmbH, represented by Marius-Eugen Gerdan and Katharina Gerdan-Dörenhoff
Data Protection Officer (para. 1 lit. b)	Johannes Milczewski, privacy@radbonus.com, +49 221 177 32 99 - 0
Purposes and legal bases (para. 1 lit. c/d)	Provision of the service (Art. 6 para. 1 lit. b by analogy): distances, timestamps, Challenge participations, bike type, favorites. Consent (Art. 6 para. 1 lit. a): push notifications (device tokens), nickname
Recipients (para. 1 lit. e)	Hetzner Online GmbH (infrastructure/load balancer, processor pursuant to Art. 28); Google/Firebase (FCM push, processor pursuant to Art. 28); Apple (APNs iOS delivery). Partners receive only aggregated statistics — no individual data, no identifiers
Third-country transfer (para. 1 lit. f)	Where FCM/APNs process data outside the EEA: SCCs pursuant to Art. 46 para. 2 lit. c; EU-U.S. Data Privacy Framework pursuant to Art. 45 (Google); Apple Data Processing Terms
Retention period (para. 2 lit. a)	Usage data: active use, max. 24 months after last activity. Device tokens: until revocation/deactivation. Nicknames: until removal/deactivation. Backups: 6 months on a rolling basis. See retention table for details
Data subject rights (para. 2 lit. b/c/d)	Access, rectification, deactivation (analogous to erasure), withdrawal of consent — granted as a precaution (see section “User Rights")
Right to lodge a complaint (para. 2 lit. d)	Right to lodge a complaint with the competent supervisory authority for data protection: North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information (LDI NRW)
Necessity of providing the data (para. 2 lit. e)	Distances and timestamps are required to provide the service. Push notifications and nickname are optional; not providing them has no impact on the usability of the app

---

Data Sharing

The Radbonus app follows a strict principle of data sovereignty.

No Sharing of Identifying Data

• No sharing with third parties: No data is shared that would allow users to be identified. Partners receive only aggregated and anonymous statistics.
• No storage in clouds: The data is not stored in cloud services in order to keep full control over the data and ensure the highest security standards.

Display ID in Rankings

A non-identifying display ID is used for rankings. If the user has set a validated nickname, that nickname is shown; otherwise, a heavily shortened fragment of the Radbonus ID (the first characters) is displayed as a placeholder. Before being stored, nicknames undergo a two-stage automated review, including AI-supported semantic analysis by a local language model (see section “Data Collection”). Rankings are shown only starting at a minimum participant count of 15 active users within a Partner World; below this threshold, users see only their own data. Kilometers in the ranking display are rounded to full kilometers, and the ranking is updated at defined intervals (not in real time). In both cases, the display ID serves only to visually distinguish participants in the ranking and is not suitable for enabling third parties to access individual data. Neither partners nor other users receive access via the display ID to start/end times, duration, individual events, or raw data; only a rounded, delayed-updated total distance in kilometers for the respective competition period is visible. The display ID is specific to the Partner World and cannot be linked across different Partner Worlds.

Access model (who sees what)

The following overview shows which data is available to each party:

• Users (own app): See their own start times, end times, ride duration, individual events, and total kilometers. These individual usage data do not leave the user app view in any personalized form.
• Other users (ranking): See — only once there are at least 15 active users — only the display identifier (nickname or shortened ID fragment) and the rounded total kilometer count for the respective competition period. No times, no individual events, no raw data. Below this threshold, no rankings are shown.
• Partners: Receive only aggregated statistics at world and challenge level (total kilometers, participant numbers, challenge completion rates). No identifiers, no individual values, no timestamps, no individual distances.
• Radbonus: Processes the data to provide the service. Has no identity data and no linking features for assigning data to natural persons. Radbonus knows neither the identity of the users nor the internal structures or employees of the partner companies.

Access matrix (detailed overview):

Data category / access level	Users (own app)	Other users (ranking)	Partners	Radbonus (Ops/Admin)	Hetzner (Infra)	Google (FCM)	Apple (APNs)
Identity data (name, email, phone)	No	No	No	No	No	No	No
Radbonus ID (full)	Yes	No	No	Yes	No	No	No
Display identifier (nickname/ID fragment)	Yes	Yes (from 15 participants)	Optional (public rankings only)	Yes	No	No	No
Total kilometers (competition period, rounded)	Yes	Yes (from 15 participants)	Aggregated only	Yes	No	No	No
Individual events (rides)	Yes	No	No	Yes	No	No	No
Start/end times	Yes	No	No	Yes	No	No	No
Team membership	Optional	No	Aggregated only	Yes	No	No	No
Bike type	Optional	No	Aggregated only	Yes	No	No	No
Geocoordinates / GPS routes	No (local only, deleted immediately)	No	No	No	No	No	No
IP addresses (application level)	No	No	No	No	No	No	No
IP addresses (network level/load balancer)	No	No	No	No	Yes (transport)	No	No
Device token (push)	Optional	No	No	Yes (separately, encrypted)	No	Yes (transport)	Yes (transport)
Data export / raw data download	Yes (own data)	No	No	Internal only	No	No	No

The matrix shows: No external actor has a combination of identity attributes and individualized usage data. The rows “Identity data" and “Geocoordinates" consistently confirm “No" across all actors — the data typically required for re-identification does not exist in the system.

Data protection role of partners

Partners (companies and organizations) that run a Partner World at Radbonus set it up as a company world for their employees or members. The users of these Partner Worlds are adult employees or organization members. From a data protection perspective, partners are neither joint controllers (Art. 26 GDPR) nor processors (Art. 28 GDPR).

Distinction from joint controllership: Joint controllership requires that two or more controllers jointly determine the purposes and means of the processing (Art. 26 para. 1 GDPR). Partners can configure their Partner World — this includes visual customization (colors, logos), the design of Challenges, and target values in kilometers. These configuration options relate to the content design of the service, not to the purposes and means of data processing. The purpose of the processing (recording anonymous cycling activities to run Challenges and Battles) remains the same regardless of the specific configuration of a Partner World and is defined exclusively by Radbonus. Partners have no influence over the processing architecture, the data categories, the storage logic, or access to the underlying systems. The situation is comparable to a company using a SaaS platform and configuring content there without thereby becoming a joint controller of the platform's data processing. If, in an individual case — for example due to a different assessment by a supervisory authority — joint controllership is assumed, Radbonus GmbH will provide an agreement in accordance with Art. 26 GDPR.

Partners receive from Radbonus only:

• Aggregated, anonymous statistics about the use of their Partner World (e.g. total kilometers, participant numbers, Challenge completion rates)
• Battle displays with exclusively aggregated total kilometers (no individual ride times, distances per ride, or activity patterns)
• Public ranking views with display identifiers (nickname or shortened ID fragment; no full Radbonus IDs, no individual activity data)

Partners never receive:

• Individual Radbonus IDs or individual usage records
• Individual ride times, distances per ride, or timestamps of individual users
• Performance details or activity patterns that could allow conclusions to be drawn about individual persons
• Device tokens, IP addresses, or other technical identifiers
• Export options for user-related data

Individual usage data (own times, routes, Challenge progress) is visible only to the respective user in their app. This data does not leave the user app view in individualized form.

This strict limitation to aggregated data creates a double protective barrier: Radbonus has no knowledge of the partner's internal structures or employees. The partner does have contextual knowledge of its organization, but does not receive any individualized data from Radbonus. Neither side has the combination of contextual knowledge and individual data that would be required for re-identification.

Ensuring data protection

Through these measures, Radbonus GmbH ensures that user data always remains under control and protected. The exclusive use of its own servers in highly secure data centers underlines Radbonus GmbH's commitment to user data protection and data security.

---

Data storage and security

The Radbonus app is designed for the secure storage and processing of usage data. The app and backend process usage data without any identity reference. This means that even in the event of a security issue, no identifiable personal data can be exposed, because such data does not exist at any point in time.

Storage locations and duration

• Operated servers: Data processing takes place on bare metal servers operated by Radbonus GmbH itself. These servers are located in Germany and housed in highly secure data centers.
• Server security: The servers are extensively secured and meet the requirements of the data center's ISO/IEC 27001 certification.
• No cloud storage: The data is not stored in any cloud. All data is stored and processed locally on the servers mentioned in Germany.
• Storage duration: The data is stored only as long as necessary to fulfill the respective purposes. Once those purposes have been achieved, the data is deleted.

Technical and organizational security measures

• Encryption: All data transfers between the Radbonus app and the servers take place over encrypted connections (SSL/TLS) to ensure the confidentiality and integrity of the data.
• Access controls: Access to the servers and databases is strictly regulated and permitted only to authorized persons. Multi-factor authentication and strict password policies are used.
• Data backup: Regular backups of the data ensure that, in the event of data loss, the data can be restored. The backups are also stored in encrypted form.
• Monitoring and logging: The servers and databases are continuously monitored at application level. Only application-related events are logged: database access (read/write operations at database level), authentication attempts to the admin access (successful and failed logins), system resource metrics (CPU, RAM, storage), as well as application errors and exceptions. These logs are retained for a period of 90 days and then automatically deleted. Access to log data is restricted to administrators with MFA-protected access and is used solely for the purpose of troubleshooting and security monitoring. The logs do not contain IP addresses of app users — forwarding of the client IP via X-Forwarded-For is disabled on the load balancers, and the IP address is not available on the backend servers (see section "Non-stored data"). Defense against network-based attacks (DDoS, brute-force at IP level) is the responsibility of Hetzner Online GmbH as part of its infrastructure services and takes place at network level outside the Radbonus systems.
• Firewall and protective measures: The servers are secured by firewalls and other protective mechanisms against unauthorized external access. Regular security updates and patches are applied to keep the systems up to date.
• Key management: Cryptographic keys (TLS certificates, backup encryption, device token encryption) are managed exclusively by internally qualified employees. Private keys are stored on the bare-metal servers in protected file systems with restrictive access rights. Keys are rotated according to a defined key rotation plan. External service providers have no access to cryptographic key material.
• Roles and access rights concept: Access to production systems is based on the principle of least privilege. Administrative access is restricted to a defined number of qualified employees and requires multi-factor authentication. Access permissions are reviewed regularly and adjusted immediately when responsibilities change.
• Penetration tests: External penetration tests are carried out quarterly (every 3 months) to systematically identify vulnerabilities in the infrastructure and applications. The results are documented, and identified vulnerabilities are fixed based on priority and criticality.
• Secure Software Development Lifecycle (Secure SDLC): Software development follows a secure development process that includes code reviews, automated security tests (SAST/DAST), and an approval procedure before every production deployment. Security requirements are taken into account right from the design phase.
• Business Continuity / Backup Strategy: Encrypted backups are created daily and retained on a rolling basis for a period of 6 months. The Recovery Time Objective (RTO) is 4 hours; the Recovery Point Objective (RPO) is 24 hours. Recovery processes are tested regularly.

Minimization of data collection

• Data minimization: The Radbonus app only collects the data that is absolutely necessary to fulfill the respective purposes. Data that is not needed is not collected.
• Anonymous use: The app enables anonymous use within the meaning of Recital 26 GDPR. No identifiable personal data such as name, address, email address, or phone number is collected or stored. Technical assignment is carried out exclusively via the Radbonus ID generated using a random generator, which has no link to a person and for which no assignment is possible.

Usage data without identity reference

Radbonus processes usage data without any identity reference and without knowledge of the users' identities. The Radbonus ID as a technical key refers exclusively to data records that themselves contain no personal information. No personal data is collected or stored (e.g. name, address, email, phone number). IP addresses are not available at the application level — forwarding via X-Forwarded-For is disabled on the load balancers. Geo coordinates are processed exclusively locally on the end device and are never stored server-side. Even in the event of a security issue, no personal data can therefore be exposed, because such data is never present on the Radbonus systems at any point (with the exception of the encrypted device tokens stored, for which separate incident handling applies — see section „Measures in the event of security incidents").

Measures in the Event of Security Incidents

• Emergency plan: Radbonus GmbH has implemented an emergency plan for security incidents. This plan includes measures to contain the damage and restore system integrity.
• Usage data without identity reference: Since the core data (distances, timestamps, Challenge participations) does not contain any identity-related information, a compromise of this data does not pose any risk to the rights and freedoms of natural persons within the meaning of the GDPR. No reporting obligation under Art. 33 GDPR applies to non-identifiable data.
• Device tokens (special case): Device tokens are handled as potentially personally identifiable as a precaution and are stored encrypted on the Radbonus servers. Even in the event of a security incident, the tokens would not be readable without the corresponding decryption key. If a compromise of device tokens still cannot be ruled out, an assessment is carried out under Art. 33 GDPR (notification to the supervisory authority) and Art. 34 GDPR (notification of the data subjects). As a technical immediate measure, affected tokens are invalidated and regenerated, so compromised tokens no longer allow notifications to be delivered.
• Transparency: In the event of a security incident, Radbonus GmbH provides transparent information about the incident, its scope, and the countermeasures taken.

---

User Rights

Although the Radbonus app processes usage data without any link to identity, and the GDPR rules on data subject rights do not apply to anonymous data, Radbonus GmbH nevertheless offers users the following options as a precaution:

Authentication and access control when exercising rights

Since Radbonus does not store identity data, authentication for requests for information and deactivation takes place exclusively through possession of the Radbonus ID on the end device. The Radbonus ID is stored only locally in the app and cannot be viewed from outside. Guessing other users' IDs is practically impossible because of the random generator and the key length. Retrieval of your own usage data is only possible through the app itself — there is no external API or web interface through which profile data could be accessed using a Radbonus ID. For requests by email to the Data Protection Officer, the user is asked to provide their Radbonus ID from within the app; no identity check is required, since the identifier itself has no personal reference.

Information about stored data

Users can receive information about which anonymous data is stored in relation to their Radbonus ID. This information includes, among other things:

• Distances ridden with start and end time
• Membership in Challenges, Battles, and Missions
• Winnings
• Optional: Nickname, favorites, bike type, and team membership

Correction of data

If users notice that the stored data is incorrect or incomplete, they can request a correction. This mainly concerns optional details such as nickname or team membership.

Deactivation of the usage profile

Upon the user's request, the usage profile (Radbonus ID and associated records) is deactivated. Since Radbonus processes usage data without any link to identity, the following measures are taken when deactivation occurs:

• Device tokens for push notifications are deleted.
• Optional details such as nickname and favorites are deleted.
• No further profile-related processing of the usage data takes place.
• The performance data contributed by the user to Missions and Battles remains available in aggregated form so that the public results of group Challenges are not distorted afterward.

Deactivation of push notifications

Users can disable the use of device tokens for push notifications at any time. This can be done in the app settings. When disabled, the device tokens are deleted.

Contact

Users can contact the Data Protection Officer with any questions or concerns (contact details see section "Data Protection Officer").

---

Consent and opt-out mechanisms

The Radbonus app offers users clear and transparent mechanisms for giving consent and opting out so they can manage their preferences.

Consent

Consent to data processing

Use of optional features is voluntary. This applies in particular to:

• Providing a nickname and bike type voluntarily
• Joining a team for Team Activities
• Saving Challenges as favorites

Consent is given by actively using the relevant features in the app and can be withdrawn at any time.

Consent for Push Notifications

Users can agree to the use of device tokens for sending Push Notifications. These notifications provide updates on new Challenges, rewards, and other relevant events. Consent is given when the app is first used or through the relevant settings in the app.

Opt-out mechanisms

Opt-out of Push Notifications

Users can disable the use of device tokens for Push Notifications at any time. This can be done in the app settings. When disabled, the device tokens are deleted, and the user will no longer receive notifications.

Deactivation of the usage profile

Upon the user's request, the usage profile will be deactivated. Information such as device tokens for Push Notifications and optional details will then be deleted.

Withdrawal of consent

Users can withdraw their consent to use optional features at any time. Withdrawal can be made by contacting the data protection officer (contact details see section "Data Protection Officer").

---

Data protection by design and by default

The Radbonus app takes a proactive approach to building privacy protection into its technical and organizational processes from the start.

Privacy by Design

• Anonymous identification: The Radbonus app uses a Radbonus ID generated by a random generator for the technical assignment of usage data. This ID has no link to the device or the user's person and cannot be traced back to any specific person.
• Location data processed locally only: Geocoordinates for rides are collected only locally on the user's device and deleted after the route has been calculated. No location data is stored on the server side.
• Minimal data flow: Data transfer between the app and the servers is limited to what is necessary, e.g. ridden distances and the start and end times of rides, without transmitting personal data such as names or addresses.
• Nickname validation by local LLM: Nicknames are optional and, before being saved, go through a two-step automated check: rule-based pattern recognition and AI-supported semantic analysis by a language model operated locally on the Radbonus infrastructure. Entering a nickname requires the user's active confirmation that the nickname does not contain any personal data. If no nickname is provided, an abbreviated ID fragment (e.g. „Meerkatze") is used as the default display identifier.
• Encrypted communication: All data transfers take place over encrypted connections (SSL/TLS) to ensure the confidentiality and integrity of the data.

Privacy by Default

• Data minimization: By default, only the data that is absolutely necessary for the app to function is collected. Optional details such as nickname or team membership are voluntary and not required to use the app.
• Tracking options disabled by default: Location-based services are disabled by default and must be actively enabled by the user in order to measure ridden routes.
• No storage of personal data: The app and the backend do not store any personal data. Even in the event of a security issue, no personal data can therefore be exposed.
• Opt-in for additional features: Features such as saving challenges as favorites require an active decision by the user and are disabled by default.

Minimizing Data Collection

• Reduction to the essentials: The Radbonus app only collects the data that is essential for providing the service. Data that is not needed is not collected.
• Deletion after use: Temporarily collected data such as geocoordinates is deleted immediately after use to minimize data storage.
• Anonymous use: The app enables anonymous use within the meaning of Recital 26 GDPR — no personal data is collected or stored. Technical assignment takes place exclusively via the Radbonus ID generated by a random number generator, for which no link to a natural person exists.

---

Regular Review and Updates

Radbonus GmbH is committed to continuously reviewing and updating its data protection and security measures to ensure that the documented standards are consistently maintained.

Audits and Controls

• Internal security audits: Radbonus GmbH regularly carries out internal security audits to identify and fix potential vulnerabilities. Specialized software solutions such as Burp Suite are used for this, enabling thorough security checks.
• External security audits: In addition to the internal audits, regular external security audits are carried out by independent, specialized service providers. These audits provide an objective assessment of the security measures and help implement continuous improvements.
• Monitoring and logging: Radbonus GmbH's IT infrastructure is continuously monitored at the application and system level. Only application-related and system-related events are logged (database operations, administrator access, system resources, error states). These logs do not contain IP addresses or any other network-related identifiers of app users — IP forwarding via X-Forwarded-For is disabled on the load balancers. Security audits (internal and external) check application security (e.g. using Burp Suite), server configuration, and the effectiveness of access controls.
• Review of anonymity: Regular checks are carried out to determine whether the processed data can still be classified as anonymous within the meaning of Recital 26 GDPR. If the technical or organizational framework changes, the anonymity assessment is updated.

Procedures for Adjusting the Data Protection Concept

• Continuous improvement: The results of the internal and external audits are used to continuously improve the data protection concept and adapt it to new threat situations.
• Updates in the event of legal changes: The data protection concept is reviewed and updated regularly to ensure that it meets current legal requirements and best practices. If data protection laws or regulations change, the concept is adjusted accordingly.
• Feedback loops: Feedback from users and employees is actively incorporated into the revision of the data protection concept to ensure practical improvements and user-friendly adjustments.

Documentation and Logging

• Traceable documentation: All changes and updates to the data protection concept are carefully documented. This documentation creates a traceable history and ensures that all measures are transparent and auditable.
• Regular reports: Regular reports are prepared on the audits carried out and their results. These reports serve as a basis for further improvements and are made available to management.
• Incident logging: All security-related incidents are thoroughly documented and logged. These logs are used for analysis and help prevent future incidents.

---

Training and awareness

Radbonus GmbH places great importance on ensuring that all employees and relevant stakeholders are fully informed about data protection and data security.

Training programs for employees

• Regular training: All employees at Radbonus GmbH regularly take part in training sessions on data protection and data security. These training sessions cover the basics of the GDPR, specific requirements of the Radbonus app, and the internal data protection guidelines.
• Introductory seminars: New employees receive a comprehensive introductory seminar when they join the company, familiarizing them with Radbonus GmbH's data protection requirements and processes.
• Specialized training: Employees who work in areas that are especially relevant to data protection receive additional specialized training. This applies in particular to the IT department and the data management team.

Data protection awareness measures

• Regular reminders: Regular emails and internal updates continuously remind employees of the importance of data protection and current topics or threats.
• Workshops and seminars: In addition to the training sessions, workshops and seminars are held regularly to explore specific data protection topics in more depth and discuss current developments.
• Information materials: Radbonus GmbH provides its employees with comprehensive information materials, including guides, checklists, and FAQs on data protection-related topics.

Promoting a data protection culture

• Open communication: Radbonus GmbH promotes a culture of open communication regarding data protection. Employees are encouraged to ask questions and voice concerns in order to ensure a full understanding and active involvement in data protection.
• Feedback loops: Feedback and suggestions for improvement from employees are actively collected and integrated into the further development of the data protection measures.
• Best practices: By communicating and applying best practices in data protection, it is ensured that all employees adhere to the same high standards.

---

Final Provisions

Validity Period of the Privacy Policy

This privacy policy takes effect on February 1, 2026, and remains valid until further notice. It is reviewed regularly and updated as needed to comply with current legal requirements and best practices in data protection.

Procedure for Publishing the Policy

• Internal communication: The privacy policy is made known to all employees of Radbonus GmbH through internal communications and training. It is available at any time on the company's internal network.
• External communication: Users and partners are given access to the privacy policy via the official website of Radbonus GmbH and within the Partner World in the app. Please note that the policy may be updated regularly.

Contact for Questions

If you have any questions or concerns about this privacy policy, you can contact the Data Protection Officer of Radbonus GmbH (contact details see section "Data Protection Officer").