Privacy Policy

Thank you for using the Ride App that simplifies your traveling. Nottingham City Council, in partnership with Derby City Council, has commissioned the mobility-as-a-service platform, Ride, which is built, delivered and operated by Trafi Ltd (part of the Enghouse Group of companies).

Trafi Ltd is the sole and exclusive data controller for all personal data collected through the Ride App (“App”) and processes your personal information in accordance with the Terms of Use of the App.

We take the protection of your personal data very seriously. The goal of our privacy policy is to help you understand what personal data we collect from you, why it is collected, who we share it with, and how you can exercise your rights when you trust us to handle your data for you. We ask you to read this privacy policy carefully and familiarize yourself with its content.

1. HOW CAN YOU CONTACT US?

Trafi Ltd, with its registered office at 9th Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN, is the data controller in respect of your personal data being used and processed through the App for the purposes described in this policy. Please feel free to contact our Data protection officer on privacy related questions by email at dataprotectionofficer@enghouse.com.

If you have any questions or suggestions related to Trafi’s services, please contact Trafi via  one of the available customer support channels in the Ride App or by emailing Trafi at support@rideeastmids.com.

2.WHY DO WE COLLECT YOUR PERSONAL DATA?

Personal data is collected in accordance with the Terms of Use of the App to enable you to access the App and purchase transport services (also referred to as Third Party Services as defined in the Terms of Use) provided through Ride. When you access, connect to, download, create an account for, make purchases within, or otherwise use Ride App, we will collect and process personal data about you. The personal data we collect will depend on the circumstances and the services you are using or requesting, in accordance with the Terms of Use of the App.

If you use the App, we must have a legal basis to process your personal data for the purposes set out in this privacy policy. There are different legal bases that we rely on to use your personal information, namely:

1. Performance of a contract: The use of personal data is necessary to enable Trafi to adjust and customize the App for a more personal experience. Trafi may therefore contact you about your experience to gather further information concerning the administration and operation of the App.
2. Consent: We require your consent to use your data (please note you may withdraw your consent at any time by following an unsubscribe link in any marketing communication you receive from us) and use technical information; and your personal data for occasional marketing and advertising purposes.
3. Legitimate interests: We may use your personal data for our legitimate interests to improve our products and services offered through the Ride App. These improvements are dependent on analysing (for example) how you use the Ride App, the success rate(s) of any promotion or event, transactional data and customer interactions. We will also use your personal data for security purposes, and to share information with our affiliates for solely internal administration based on legitimate interest.
4. Legal obligation and public interest: Where compelled by applicable law, we may also have a legal obligation to collect your personal data or may otherwise need your personal data to protect your vital interests or those of another person.

3.HOW DO WE GET YOUR INFORMATION?

We get information about you from the following sources:

1. Directly from you, through information you provide via Ride and through enquiries you make through the Ride App.
2. From transport service providers/ verification service provider/ payment service provider and Customer support centre when you use their services.
3. From your device, which provides us with information about your visit or use of the app.

4. WHAT PERSONAL DATA WE PROCESS AND WHY?

The information we process about you will fall within the following categories and is required to enable the route search and transport services to be provided to you via Ride App.

4.1. From use of the App

4.1.1. Technical details and frontend events

It is technically necessary for us to provide you with the functions of the App, monitor usage and to ensure its security. You are able to see the information displayed in the App about transport services without having to create an account, i.e. for information purposes. If you do elect not register and provide us with your information.

We process the following information:

• Technical details of the device used (e.g. DeviceID and IP address, installation IDs)
• Device information: Operating system (Android or iOS), Type of device, device properties, device model, memory used and free storage used, Battery info, Time zone for iOS, App ID, language and version
• User ID’s
• App frontend events: session ID, time, events type
• Crash/issues information: Crash date and time, Screen in app where crash occurred, event flow before crash (breadcrumbs — navigation events and network requests)

4.1.2. Location data 

Is collected to guide your trip and enable route search: allowing for Trafi to access location and route information of your device helps us to provide you with more accurate content, such as showing transport options nearby or other options that we consider the best based on your location or guiding you through the trip with feature “Active trip”.

The following data are processed:

• To determine your location and guide you: GPS signals, device sensors, Wi-Fi access points, and tower ids to estimate your precise location;
• To provide you with route suggestions and guide you: Route results ID, start location, destination, start time, arrival time, duration journey time, connection times, type of transport, prices, user rating of connection information.

You can either allow the app to access location services by manually entering your location or consent to (“Allow Once” or “Allow while using the App”).  You can  manage your preferences through the Settings function on your device and its permissions system by selecting “Opt-in/ Opt-out” for “Location” sharing. In the case of GPS tracking, we only collect the location determined by your device if the app is open and you consent to location sharing.

If you disable the function, we will not collect any of your location data. However, in this case, we could only provide generalised location information and some services may not be available, particularly those that require accurate location information such as: Stops near me, available transportation options nearby.

4.1.3. Your Account data

Account data can be used to access transport services. We provide the option for you to register and create an account in the app, which requires you to enter your personal data. There are two options enabling account creation : either using your email address or your Apple/Google account.

If you choose to create a Trafi account by using a third-party social network, such as your  Apple or Google accounts, you will need to grant Trafi specific access via the accessibility settings linked to your accounts.   We only use this data to speedily populate your user account, providing you access to the Ride App as quickly as possible.

Nonetheless, please be aware that your third-party Apple or Google provider may also receive notifications  that you are accessing the Ride app. Trafi is not responsible for, and does not control, the data processing practices of these third-party providers. We recommend you review their respective privacy policies.

An account is necessary in order to use the Mobility services through the app. During the registration process, you will be asked to provide the following personal data:

• First name, Last name, and we will assign you with the user ID to identify you
• Email address
• Date of birth
• Gender
• Address
• Language preference
• Mobile number to ensure higher security of your account (two-factor authentication & verification)
• Password
• Acceptance of Terms and Conditions
• Acceptance of this Privacy Policy
• Opt-ins and Opt-outs privacy settings

In addition we will also automatically collect the following information:

• Device ID and ID Token to enable user authentication for security purposes
• Date and time of registration
• Version number and time of acceptance of applicable terms and conditions of use and privacy policy of the App and of Third parties used through the App
• For accessing some of the transport services we require your Driving licence/ ID document verification and process related data: Driving licence/ ID document information, copy of document (back and front), facial photograph and video (biometric data).
• Specifically for accessibility requirements, Trafi may also process disability data (special category data under UK GDPR Article 9), if disclosed by you. This processing is necessary to provide you with information about vehicles adapted and equipped for transporting passengers with disabilities, and/or accessible facilities information. By providing this information, you explicitly consent to the processing of this special category data for these specific purposes. You may withdraw your consent at any time by contacting us using the details provided in this Privacy Policy..

This information is required to establish, formulate, or modify the contractual relationship between you and Trafi and provide the best possible services for your personal needs and preferences. The data is also used to provide customer account functions and for management and support of your customer account. Some of this data will be shared with transportation providers when you first use their services. You cannot use some of the mobility services in the Ride app if while registering your account you fail to  provide all the mandatory data required.  This data is required to set up your contract to use the Ride App.

4.1.4. Payment related information

In order to use mobility services through the Ride App, you must provide payment information that will be processed by Trafi and shared with the Payment Service Provider.

The following personal data is collected by Trafi so we can make payments on your behalf or refund you if necessary:

Credit/debit card details: type, card number, validity date, verification number,Card holder information: full name, User ID,

• Payment method information: ID, Timestamp (date and time),
• Additionally during the payment transaction the following data will also be collected: User ID, Payment token, Order ID, External reference, MSP account ID (merchant ID), Reservation amount, Final amount, Currency, Order date and time, Bill date and time, Payment method ID, User status at the PSP (Active/Blocked), Initial payment authorization status (Ok/Reject), Final payment authorization status (Ok/Reject).

It is important to highlight that to ensure the privacy principle of data minimization and purpose limitation, Trafi does not store credit card information, such as credit card number, IBAN (international Bank Account Number), or other credit card-related data. Technically, only payment method-specific data is captured through the mobile application and transferred to and stored by the relevant Payment Service Provider and relevant parties involved. Therefore, each party will need to cover the areas that they control and ensure that all processes and data collected comply with PCI-DSS standards.

To ensure security of your data, Trafi will ensure that all raw data  transmitted to the payment service provider will be tokenized and encrypted.This means that the PSP then becomes the data controller responsible for the collection and storage of personal data for payment purposes.

4.1.5 Trips and booking data

Is used to book and use transport and mobility services. When you book and use mobility services through the Ride App (i.e.  purchasing a ticket, book mobility services) a legal contract is formed between you and the mobility/ticketing service provider you selected by accepting their terms of use and privacy policy.

Trafi will transmit and receive the following data required by your selected mobility/ ticketing service provider and process the data to enable you to use their  services.  No data is sent or received on your behalf until you make your first purchase:

Your information that you provided while creating the account:

• T&C and privacy policy acceptance version, date and time,
• External User ID
• Vehicle information, vehicle parking photo
  • Booking ID
• Trip details, time and location
• Ticket information: departure, tariff, price, Ticket ID, Ticket class, Ticket barcode, Ticket validity, Ticket traveller name, Ticket discount and discount amount, Ticket type (one-way or return), other ticket related information
• Trip/ticket invoice details

4.1.6. Your Feedback information

You may provide feedback on your experience in the Ride App. In order to grow trustworthiness of the Ride App, we enable users to leave their feedback about their experience if they wish to do so.

This is a voluntary action based on user active action and consent. If you chose to leave the feedback we will process data on your feedback, including User ID, timestamp, Category, Comment, Feedback Categories (issues), Rating (positive/negative), Route result ID, Request and Response Time.

4.1.7. Your request for Customer Service

The Ride app provides multiple options to get customer support. When you contact our customer service through the Ride App, phone or by email we will process your data, including recording and transcription of your phone call, storage of your email and contact information and other details to respond to your request. In order to enable us to support you, the information collected may be used by both the customer service and technical teams to help solve your issue.

4.1.8. Marketing Data

Links to pages you access within the Ride app are collected to check which services are best utilised and also to help assess how Ride services can be improved. In order to do this, we may also collect IP address data, to see how navigation, for example, can also be improved.

4.2. Other data usage purposes:

4.2.1. Notifications on generic offerings and services

We may also contact you via the Ride App to notify you about our generic information on services or offers, ticketing changes, price changes, new services etc.. If you do not agree to receive general information, you may object and “opt-out” by going to “Settings -> Privacy -> Marketing -> opt out.

4.2.2. Analytics with pseudonymised data, Research and Statistics

We will process personal data for analytical purposes. These data relate to your use of the Ride App includes pseudonymised data such as: User ID and your app usage related information as defined above. However we use specific techniques to make our analytics not intrusive and to use pseudonymized data, such as:

• Hashed ID, User ID, Booking ID, Ticket ID, Order ID, Purchase ID are hashed using standard SHA256 algorithm
• Booking Start Timestamp rounded to an hour (e.g. Real time – 12:34 AM , value created: 12:00 AM)
• Booking Start Coordinates are encoded using Hexagonal Hierarchical Spatial Index system (https://h3geo.org, resolution used: 9)

Example:

The use of these techniques allows Trafi to analyse data to ensure the quality of the technical features and the improvement of the app while maintaining a level of adequate data protection

Trafi uses the data for a strict purpose of improving the product so the technical functionalities of the app will work better and efficiently for the user. Data analysed will never be used for direct marketing activities. Trafi will never use it for  ; retargeting or reselling your data.  The data will only ever be used for analysis purposes for future improvement. We provide our users with the opt-out option at any time by going to “Settings -> Privacy -> Analytics -> Opt-out”.

4.2.3. Push notifications about the app or about your trip

With your consent we use push notifications in the Ride App and/or by email or by using other contacts provided by you, to notify you about changes or updates about the services, such as  new Terms and Conditions or information service maintenance. We may also contact you directly about information specifically relevant to you, e.g. related to transactions that you performed, payment issues you raised. These notifications are at times necessary to meet regulatory requirements as determined in our Terms of Use agreement, for you to be timely and duly informed. Therefore, you cannot opt-out of receiving such service messages. For this purpose we process your contact details, notification text, status (e.g. Completed), sent/open time, Country/Region, User audience, First open, Lat app engagement and User properties.

4.2.4. Disputes and legal regulations

We may process personal data to comply with applicable laws and regulations, law enforcement requests or legislative  rulings as well as to dispute resolution cases.

4.2.5. Fraud prevention

We may use personal data such as IDs  (e.g. order id or event id), phone number, location information, time information (e.g. timestamps), and other data to assess and thereafter prevent fraud, abuse and misuse, specifically to prevent financial fraud and to ensure the personal data security to protect both yourself and  Trafi interests.

5.WHOM DO WE SHARE YOUR PERSONAL DATA WITH ?

Personal data may be disclosed to government or law enforcement agencies, whenever required by law; to our contracted service providers for processing in accordance with the purposes for which it was originally provided, e.g. to provide offered services, for technical support; and to other data controllers.

We may transfer your personal data to service providers that carry out certain functions on our behalf. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.

Whenever we transfer your personal data out of the UK to service providers, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:

• We will only transfer your personal data to countries that have been deemed by the UK to provide an adequate level of protection for personal data; or
• We may use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK, namely the International Data Transfer Agreement or The International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers. To obtain a copy of these contractual safeguards, please contact us using the details set out above.

6.1. Contracted Service Providers (including Data Processors):

Under data processing agreements, we contractually define that our contracted service providers must use personal data solely for the agreed purposes and limited to the scope of the agreements we have in place with all third parties related to the service provision, and not to disclose your personal data to other parties, unless this is required and/or allowed by law.

Here is the list of the service providers with whom we share your personal data, they provide services such as operation of our central IT system, cloud service providers, technical error monitoring systems, etc.

Entity	Data transfer to the third countries	Purpose
UAB Intelligent Communications	EU	Development of the App services, subsidiary of Data Controller
AWS	USA, data centers in UK	Cloud service for hosting Application backend services, pp events tracking system, authentication services
Twilio, Inc	USA	Mobile number verification
Firebase	USA	Messaging in the app and A/B testing
AppFlyer	USA, data center in EU	Link support
Google BigQuery	USA, data center in EU	Analytical, statistical and fraud prevention purposes
Bugsnag	USA	System monitoring (logging, metrics and alerting) and debuging
Datadog	EU	System monitoring (logging, metrics and alerting) and debuging
Veriff	EU	ID document and Driver’s license verification
Mobility/ Ticketing Service Providers	Please check their Privacy policy	Third party service for purchasing and consuming tickets or transport services
Payment Service Provider –	Please check their Privacy policy	In order to purchase and pay for Public Tickets and get refunds
Customer support center – Journey Call	UK	Customer support
The Dairy Agency	UK	Marketing agency

FOR HOW LONG WE WILL KEEP YOUR PERSONAL DATA?

Under UK GDPR guidelines we only keep your personal data for as long as  is necessary for the fulfilment of our purposes, such as resolving disputes, enforcement of agreements, business and legitimate interests and/or if it is legally required to do so. After that period, we will delete all unnecessary data and use anonymised data for long-term Ride app analysis and improvement.

1. We will not keep your personal data for longer than necessary. How long your personal data is retained for will depend on the lawful basis for which it was collected. Depending on that lawful basis, we are not always able to comply with a ‘right to erasure’ request. In general we  retain all data for a period of 2 years after your last  Ride App activity (including opening the App); however, some data is held for shorter periods of time and anonymized data may be kept for longer periods.
2. If you choose to delete your Ride account, your account will be scheduled for deletion from the operational database, which may take a few days. Once the data has been deleted, you will receive an email confirming the deletion.
3. Please note that we still may be required to process certain information about you after your account has been deleted, to comply with our legal or contractual obligations . This could be, for example, where we are required to investigate a complaint or establish, exercise, or defend legal claims, such as in the pursuit of unpaid bills. We are also required to share information with the Police or other agencies for law enforcement purposes, which includes traffic offences such as speeding tickets. However, any personal data needed for these purposes will be transferred to a secured system and will be held in accordance with our retention information detailed in this notice.

7. WHAT RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA?

We understand that you may at times need further information from us regarding your personal data and how it is processed or that you may wish to update or correct the personal data you have provided us with. In light hereof, you have inter alia, when appropriate and in the limits of the applicable data protection laws, the following rights:

• Right to access your personal data: you have the right to obtain confirmation from us as to whether personal data concerning you are being processed, and, where that is the case, access to the personal data and information.
• Right to data portability: you have the right to request that we provide you with your personal data in a machine-readable format as well as the right to request its transmission to another data controller.
• Right to rectification of personal data: if you find that personal data which we process about you is inaccurate, you have the right to have us correct such personal data, also you may correct Your Account data directly in the App.
• Right to erasure of personal data (right to be forgotten): you may request to delete your data directly in the App by using the “Account deletion” feature, in this case your data deletion will be scheduled and processed. In case there are no reasons to reject this request (e.g. open booking, debts) your data will be deleted (expect data to be stored under legal obligations) and you will receive confirmation via email.
• Right to restriction of processing: under certain circumstances, such as if you question the accuracy of your personal data or you have objected to our legitimate purpose to process your personal data, you have the right to request that we restrict the processing of your personal data until a solution has been found.
• Right to object to processing: under certain circumstances, such as if you question the legitimate interest to process your personal data, you have the right to object, on grounds relating to your particular situation, to such processing. Moreover, regarding our optional activities: you can object at any time to be subject to data analytics or notifications on general offerings and services by selecting to opt-out in the App at any time.
• Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint regarding our processing of your personal data directly with Trafi or with your supervisory authority – the Information Commissioners Office (ICO) if you think we have infringed your rights. You can find more information about reporting the matter to the ICO at https://ico.org.uk.

The processing of your personal data is based on your consent, you have the right to withdraw such consent at any time (this will however not affect the processing based on your consent before its withdrawal) by contacting us or by updating the settings in our Services (where applicable).

You can also contact our support team and request to export your personal data or to exercise any of your rights by contacting us via one of available Customer Support Channels in Ride App or by writing to us at support@rideeastmids.com.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

8.CHANGES TO THIS PRIVACY POLICY

Our Privacy Policy may change from time to time. Therefore, you should make sure to review the latest version of this policy on a regular basis. We will post any Privacy Policy changes in the Ride app and will inform you of any updates if the changes are significant and /or impact you statutory rights, we will be required to notify you via email to the address you have provided.