We use cookies 🍪 to keep things running smoothly (like logging in). If you’re cool with it, we’d love to use analytics cookies too—they help us make your experience even better. Totally fine if you’d rather not!

Karl

Bicycle Insurance

Privacy Policy

1. Controller and Contact

Karl is a product of Engimono GmbH (hereinafter "we", "us" or "our").

Contact details:

  • Engimono GmbH
  • Parkring 18/4, 1010 Vienna, Austria
  • Email: hallo@karlbikes.com
  • Registered in the insurance intermediary register: 38564536

Status: We act as an insurance agent pursuant to § 137 GewO and broker insurance products in the name and on behalf of our partner insurers.

Data Protection Officer: Due to the nature and scope of our data processing we are not obliged to appoint a Data Protection Officer. For any privacy queries, you can contact us directly at privacy@karlbikes.com.

2. Overview of Data Processing

2.1 What data do we process?

Depending on your relationship with us, we process different categories of data. As a rule, we do not collect or process health data.

As a customer or prospect:

  • Identity data: first name, last name, date of birth (for companies: company name, VAT number)
  • Contact data: email address, phone number, residential address
  • Vehicle data: information about your bicycle/e-bike/e-scooter/pedelec/cargo bike (brand, model, value, frame number)
  • Payment data: bank details or credit card information
  • Contract data: policy number, scope of insurance, premium amount
  • Claims data: information about reported claims (if applicable)
  • Previous insurance: details of prior insurance policies and claims history

As a witness to a loss event:

  • Identity data: name, contact details
  • Statements regarding the observed event

As a business partner (e.g., broker):

  • Business contact details
  • Contractual agreements
  • Billing data

Technical data (anonymised):

  • IP address
  • Browser type and version
  • Operating system
  • Date and time of access
  • Cookie data

2.2 Legal bases for processing

We process your data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): for brokering and administering your insurance contract
  • Legal obligations (Art. 6(1)(c) GDPR): to fulfil statutory retention duties
  • Legitimate interests (Art. 6(1)(f) GDPR): for website optimisation analytics, fraud prevention
  • Consent (Art. 6(1)(a) GDPR): for marketing communications and non-essential cookies

3. Our role as insurance agent

We act on behalf of the following insurance companies:

  • Helvetia Global Solutions Ltd.
    Äulestrasse 60, 9490 Vaduz, Principality of Liechtenstein
  • HDI Global Specialty SE
    Podbielskistraße 396, 30659 Hannover, Germany

Depending on the purpose of processing, we act as:

  • Joint Controller with the insurers for brokering and administering insurance contracts
  • Processor to the insurers for certain administrative activities
  • Independent Controller for our website analytics and direct marketing

4. Purposes of data processing

4.1 Insurance intermediation

We need your data to:

  • Prepare and broker insurance offers
  • Conclude insurance contracts
  • Forward information to the respective insurance companies
  • Administer your insurance policy

4.2 Claims handling

In the event of a claim, we forward your data to the responsible insurer for:

  • Claims notification and handling
  • Communication with experts/loss adjusters (if required)
  • Settlement of the claim

Note on health data: As a rule, we do not process health data. If, in the course of a claim notification, you voluntarily provide information about injuries or health consequences, this information will be forwarded solely to the insurer for the purpose of handling the claim. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

4.3 Customer service and support

To handle your enquiries, we use:

  • Email communication
  • Telephone calls (see note below)
  • Support tickets via our tool "Front"

Telephone calls: As a rule, we do not record calls. In exceptional cases, a recording may be made for quality or training purposes; you will be informed at the start of the call and may object to the recording (opt-out).

4.4 Fraud prevention and compliance

To fulfil legal obligations and to protect against fraud, we process your data for:

  • Screening against sanctions lists (legal obligation)
  • Fraud prevention by cross-checking with publicly available sources
  • Anti-money laundering
  • Meeting regulatory requirements

4.5 Website operation and optimisation

We use technical data to:

  • Ensure website security
  • Analyse user behaviour (privacy-friendly via Plausible Analytics)
  • Improve our online services
  • Error reporting (anonymised via Sentry)

5. Recipients of your data

We disclose your data to the following recipients:

5.1 Insurance companies

Your personal and contract-related data are transmitted to the respective insurers with whom your contract is concluded.

5.2 Insurance brokers

If you were referred to us by an independent insurance broker, we share the following information with them:

  • Conclusion of the insurance contract
  • Insurance premium and term
  • Contract changes or termination

This disclosure is based on legitimate interests for the settlement of remuneration claims.

5.3 Technical service providers

  • Amazon Web Services (AWS): Hosting of our systems in Frankfurt am Main
  • Stripe: Payment processing and invoicing (name, email, address and payment data)
  • Plausible Analytics: Privacy-friendly website analytics (no cookies, EU servers)
  • Google Analytics: Enhanced website analytics (only with your consent)
  • Sentry: Anonymised error reporting to improve our services
  • Front: Customer service tool for managing support requests

5.4 Authorities

Where required by law, to:

  • Financial Market Authority (FMA)
  • Tax authorities
  • Law enforcement authorities

6. International data transfers

6.1 AWS Frankfurt

Our primary database is hosted with AWS in Frankfurt. No data is transferred outside the EU.

6.2 Stripe (USA)

For payment processing and invoicing, the following data are transferred to Stripe:

  • Name and address (for proper invoicing)
  • Email address (for payment confirmations)
  • Payment data (credit card/bank details)

The transfer is based on Standard Contractual Clauses and PCI-DSS compliance.

6.3 Google Analytics (USA)

If you consent to "All cookies", anonymised data are transferred to Google Analytics. Transfers to the USA are based on Standard Contractual Clauses.

6.4 Sentry (USA)

For error reporting we use Sentry with anonymised data. Transfers to the USA are based on Standard Contractual Clauses. No personal data are transferred.

6.5 Front (USA)

For our customer service we use Front. Your support requests (name, email, message content) are processed. Transfers to the USA are based on Standard Contractual Clauses.

7. Storage periods

We store your data only for as long as necessary:

  • Insurance records: 7 years after contract end (§ 137f GewO)
  • Claims files: Up to 30 years for personal injuries, otherwise 10 years
  • Accounting records: 7 years (§ 132 BAO)
  • Support requests (Front): 3 years after the request is closed
  • Telephone recordings: If recorded, a maximum of 30 days
  • Website log data: 12 months, then deletion or anonymisation
  • Marketing consents: Until withdrawn
  • Newsletter subscription data: Until you unsubscribe
  • Google Analytics data: 26 months
  • Plausible Analytics: No personal data stored

Where there is a legitimate interest (e.g., legal disputes), data may be retained for longer.

8. Newsletter

If we offer a newsletter service:

  • Subscription is only possible with your explicit consent
  • We use a double opt-in process for verification
  • We store: email address, name (optional), time of subscription, IP address at subscription
  • Unsubscribe at any time via the link in each email
  • Upon unsubscribe, your newsletter data are deleted unless you remain a customer

9. Your rights as a data subject

Under the GDPR you have the following rights:

9.1 Right of access (Art. 15 GDPR)

You can request a free copy of all data we store about you. For additional copies, we may charge a reasonable fee.

9.2 Right to rectification (Art. 16 GDPR)

You can request the correction of inaccurate data or the completion of incomplete data.

9.3 Right to erasure (Art. 17 GDPR)

You can request deletion of your data insofar as no statutory retention obligations or other grounds justify continued processing.

9.4 Right to restriction (Art. 18 GDPR)

You can request restriction of processing, e.g., if you contest the accuracy of the data.

9.5 Right to data portability (Art. 20 GDPR)

You can receive your data in a structured, commonly used and machine-readable format or have it transmitted directly to another controller.

9.6 Right to object (Art. 21 GDPR)

You have the right to object at any time to processing based on legitimate interests. This applies in particular to direct marketing.

9.7 Withdrawal of consent (Art. 7 GDPR)

You can withdraw consent at any time with future effect.

9.8 Identity verification

For your protection, we may require identity verification for access requests.

9.9 Response time

We will respond to your requests without undue delay and at the latest within one month.

10. Cookies and tracking

We use our own cookie banner that distinguishes between two categories. In addition, we use Plausible Analytics (cookie-free) for basic analysis.

10.1 Essential cookies

These cookies are strictly necessary for operating the website:

  • Session cookies for user identification
  • Storing cookie preferences

10.2 All cookies (with your consent)

If you select "Accept all", we additionally activate:

  • Google Analytics: For detailed website statistics and user behaviour

10.3 Our analytics tools

Plausible Analytics (always active)

  • Uses no cookies
  • Stores no personal data
  • Hosts all data in the EU
  • GDPR-compliant without additional consent

Google Analytics (only with consent)

  • Activated only if you accept "All cookies"
  • Uses cookies for detailed analysis
  • Anonymised IP addresses
  • Data transfers to the USA

10.4 Sentry error reporting

Sentry captures anonymised technical errors both in the frontend (browser) and in the backend of our system:

  • No storage of personal data
  • Only technical error messages and stack traces
  • Helps improve the stability of our services

10.5 Cookie management

You can adjust your cookie settings at any time via our cookie banner. Alternatively, you can manage cookies in your browser settings or enable "Do Not Track".

11. Data security

We protect your data through:

  • SSL encryption during transmission
  • Encrypted storage of sensitive data
  • Access control and permission concepts
  • Regular security updates
  • Contractual binding of all processors
  • Staff training on data protection
  • Technical and organisational measures pursuant to Art. 32 GDPR

12. Protection of minors

Persons under 14 years of age may not transmit personal data to us without the consent of their legal guardians. In Austria, the age of consent pursuant to § 4(4) DSG is 14 years.

13. No automated decision-making

We do not use fully automated decision-making or profiling within the meaning of Art. 22 GDPR. Risk assessment and premium calculation are carried out by the insurance companies, and automated processes may be used in a supporting capacity.

14. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority:

Austrian Data Protection Authority

  • Barichgasse 40–42, 1030 Vienna
  • Phone: +43 1 52 152-0
  • Email: dsb@dsb.gv.at

15. Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy to reflect changes in the legal situation or our services. The current version is always available on our website.

16. External links

Our website may contain links to external websites. We have no influence over their content or privacy practices. Please consult the privacy policies on the linked sites.

17. Questions about data protection

If you have questions about the processing of your personal data or your rights, please contact us at:

  • Email: privacy@karlbikes.com
  • Post: Engimono GmbH, Parkring 18/4, 1010 Vienna

Version: October 1, 2025

Note: This Privacy Policy applies to all services of Engimono GmbH in connection with the brokering of bicycle insurance as an insurance agent.

Karl Fahrradversicherung