Privacy Policy

Please read the following document carefully. In this privacy notice, we inform you about the processing of your personal data in connection with the use of the cosmos web application ("App"). Last updated: 05/02/2024

1. The person responsible under the data protection law

The App is operated by Lufthansa Innovation Hub GmbH, Brunnenstrasse 19-21, 10119 Berlin, Germany ("Lufthansa Innovation Hub") as the controller of your personal data within the meaning of the European Union Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG"). Full details of the Lufthansa Innovation Hub can be found in the imprint. Information on how to contact the Group Data Protection Officer and the responsible supervisory authority can be found in later sections of this data protection notice.

2. Data processing upon visit of our website

When you visit our website, the following data is processed by us:  

  • Processing of personal data with the consent of the data subject.  
  • Processing of personal data to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part.  
  • Processing of personal data to protect the legitimate interests of us or of third parties, unless the fundamental freedoms and rights and interests of the data subject override these. Legitimate interests include, in particular, our business interest in being able to provide our website, information security, and the enforcement of our own legal claims.

Within and on our website embedded form, the user is asked to enter personal information which will then be processed by us. Some of the information is required, such as your contact details. We keep email communication for 12 months, unless statutory retention periods apply. In this case, we keep the email communication for 6 or 10 years in accordance with the law. Your data will be deleted or (if we are obliged to retain them due to legal conditions or contractual agreements) blocked as soon as the purpose of the data transfer has been fulfilled or if you inform us of your wish to do so.

3. Purposes and legal bases of the processing

a) User contract: The data we collect is processed by us to fulfill the services offered in the App ("usage contract") (Art. 6 para. 1 p.1 lit. b DSGVO - contract performance and pre-contractual measures).

b) Promotional communication: During the registration process or later in your account, you have the option of granting us consent to send you information and individual offers regarding the App's services and to contact us for this purpose by electronic means of communication (e.g. by e-mail, push messages). If you have given us the corresponding consent, we will process your contact data (, email address) in order to send you the information and individual offers (Art. 6 para. 1 p. 1 lit. a DSGVO - Consent). You have the right to revoke your consent at any time. For more information on your right of revocation, please refer to section 7 of this data protection notice. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

c) Other purposes: In addition, we process your data for the purpose of fraud prevention and assertion of legal claims (Art. 6 para. 1 p. 1 lit. f DSGVO - safeguarding legitimate interests - entrepreneurial interest in protecting the company against material and immaterial damage).

4. Recipients of your data

In order to be able to offer you our services, we use service providers such as IT service providers as processors in accordance with Art. 28 DSGVO. The service providers have been carefully selected and work exclusively according to our instructions. They provide sufficient guarantees for compliance with data protection obligations. Depending on the reward, it may be necessary for us to share some of your personal data with the partner company issuing the reward so that the reward can be properly issued to you. Where personal data is transferred to third countries, appropriate safeguards are in place to protect you and your data in accordance with legal requirements (in particular, EU adequacy decision, and application of EU standard contractual clauses; information on EU standard contractual clauses can be found on the websites of the European Union). Furthermore, in certain cases, we are legally obliged to provide personal data to German and international authorities (Art. 6 para. 1 p. 1 lit. c DSGVO - legal obligation). The data collected by us will not be transmitted to other third parties.

Service Provider

Cookiefirst: For our website to function properly we use cookies. To obtain your valid consent for the use and storage of cookies in the browser you use to access our website and to properly document this we use a consent management platform: CookieFirst. This technology is provided by Digital Data Solutions BV, Plantage Middenlaan 42a, 1018 DH, Amsterdam, The Netherlands. Website: referred to as CookieFirst. When you access our website, a connection is established with CookieFirst’s server to give us the possibility to obtain valid consent from you to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to be able to activate only those cookies to which you have consented and to properly document this. The data processed is stored until the predefined storage period expires or you request to delete the data. Certain mandatory legal storage periods may apply notwithstanding the aforementioned. CookieFirst is used to obtain the legally required consent for the use of cookies. The legal basis for this is article 6(1)(c) of the General Data Protection Regulation (GDPR). Data processing agreement We have concluded a data processing agreement with CookieFirst. This is a contract required by data protection law, which ensures that data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR. Our website and CookieFirst automatically collect and store information in so-called server log files, which your browser automatically transmits to us. The following data is collected:

  • Your consent status or the withdrawal of consent
  • Your anonymised IP address
  • Information about your Browser
  • Information about your Device
  • The date and time you have visited our website -The webpage url where you saved or updated your consent preferences
  • The approximate location of the user that saved their consent preference
  • A universally unique identifier (UUID) of the website visitor that clicked the cookie banner

Cloudflare: A so-called Content Delivery Network (CDN) is used as a supplement. With a CDN, the responsible party can achieve additional performance. The content is duplicated on several data centers and thus distributed all over the world. This means that even users who are far away from the actual web hosting provider can achieve fast loading times. The CDN "Cloudflare" from Cloudflare, Inc (USA) is used for this. The fact that this third-party provider is based outside the EU does not prevent it from being used. This is because the provider has undertaken to comply with the EU standard contractual clauses.

Webflow: We use the provider Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter referred to as “Webflow”). Webflow is a Software as a Service provider for website creation and hosting.  Webflow stores cookies and other recognition technologies that are required for the depiction of the site, for the provision of certain website functions and to guarantee its security (necessary cookies). When you visit our website, Webflow records various server logfiles, including your IP address. For details, please consult the data privacy policy of Webflow:
We use Webflow on the basis of Art.6(1)(f) GDPR. We have a legitimate interest in ensuring that our website is depicted as reliable as possible. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.
The transfer of data to the United States is based on the standard contract clauses of the EU Commission. For details, please go to:
For details regarding the Data Processing Addendum, please go to:

5. Duration of storage

We process your data as long as it is necessary for the fulfilment of our contractual and legal obligations. When the purpose for which your data was processed ceases to apply, it will be deleted, unless its retention is required for the following purposes:

  • Fulfilment of retention periods under commercial and tax law, such as those arising from the German Commercial Code or the German Fiscal Code; these periods are up to 10 years.
  • Preservation of evidence within the framework of the statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years. In these cases, your data will be blocked so that it can no longer be processed for other purposes.

6. Your data subject rights

6.1 Your rights

As a data subject, you may exercise the following rights if the respective legal requirements are met:

  • Right to information, Art. 15 DSGVO
  • Right to rectification, Art. 16 DSGVO
  • Right to erasure ("right to be forgotten"), Art. 17 DSGVO (see also section 11of this Travel ID Privacy Notice)
  • Right to restriction of processing, Art. 18 DSGVO
  • Right to data portability, Art. 20 DSGVO
  • Right of objection, Art. 21 DSGVO (see also section 7 of this Travel ID Privacy Notice).

Insofar as we process your data on the basis of consent, you have the right to revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation. To exercise your rights, you can contact us through our website. In order to process your request and identify you, we will process your personal data in accordance with Art. 6(1)(c) DSGVO. To delete your account, you can also proceed as described in section 8 of this privacy notice. In addition, you have the right to lodge a complaint with a supervisory authority, Art. 77 DSGVO.

6.2 Competent supervisory authority

The competent supervisory authority for the Lufthansa Innovation Hub is:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61
10555 Berlin

Tel.: 0049-30-13889-0
Fax: 0049-30-2155050

7. Right of objection according to Art. 21 DSGVO

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(e) or (f) DSGVO. We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications. You may object to the processing of your personal data at any time.

8. Deletion of your account

If you no longer wish to use the services of the App, you can delete your account at any time. Your personal data collected in the course of using the App will then be deleted immediately - subject to conflicting retention reasons and obligations. You can delete your account yourself by contacting us at Likewise, we reserve the right to delete your account if you have not used it for 2 years.

9. Cookies

This website and the app use cookies to provide you with an optimal user experience and to collect statistical data about the use of our website. Cookies are small text files that are stored on your terminal device and contain certain information. By using cookies, we can make it easier for you to navigate our website and tailor our services to your needs. There are two types of cookies that we use: On the one hand, technically necessary cookies are essential for the function of the website. These include, for example, cookies that store your login data or the language settings of your browser. You can control the use of cookies at any time via your browser settings and, if necessary, also reject them. Please note, however, that in this case, you may not be able to use all the functions of our website to their full extent.

10. Data security

We use technical and organizational security measures to protect your data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures are continuously improved in line with technological developments.

11. Data Privacy Officer

The Group Data Protection Officer of Deutsche Lufthansa AG is also the Data Protection Officer of the Lufthansa Innovation Hub. If you have any questions regarding data protection, please contact the Lufthansa Group Data Protection Officer (e.g. by mail: Deutsche Lufthansa AG, Group Data Protection Officer, FRA CJ/D, Lufthansa Aviation Center, Airportring, 60549 Frankfurt or by e-mail: