Version 31 August, 2018

GENERAL INFORMATION

This is the Privacy Policy of Kyyti Operointi Ltd. and when applicable, it also concerns other companies belonging to the same corporation, who may participate in the processing of the personal data that has been collected. This Privacy Policy shall provide the information required in articles 13 and 14 in the General Data Protection Regulation of the European Union (2016/679). Kyyti Operointi Ltd. or the companies belonging to the same corporation collects personal data from the users of the Kyyti application and the Kyyti transport service. This Privacy Policy explains what type of personal data we collect, how we process personal data and how you can exercise your rights regarding the processing of personal data. Kyyti Operointi Ltd. shall process personal data according to the legislation in force.

This Privacy Policy may be updated and you will find the up-to-date version on our web page www.kyyti.com. This Privacy Policy concerns both the processing of personal data by Kyyti Operointi Ltd., as well as processing by such third parties who take part in processing the personal data collected by Kyyti Operointi Ltd.

CONTROLLER

Kyyti Operointi Ltd. (“KYYTI”)

Business ID: 2801777-9

Address: Fredrikinkatu 47, FI-00180 Helsinki

E-mail address: [email protected]

Website: www.kyyti.com

Data protection officer: Pekka Niskanen, [email protected]

THE PERSONAL DATA PROVIDED BY THE USERS

User data is primarily collected from the users as they register for the Kyyti application and place orders.

The basic data provided by the user. We may collect the user’s name, e-mail address and phone number.

Payment method data provided by the user. If the user purchases services from the Kyyti application, we will collect data on the type of payment method used (e.g. debit or credit card, Apple Pay). Data on a specific payment method (e.g. debit or credit card number, the card holder’s name, expiration date, CVC code) is collected by our payment operator. KYYTI will only receive an identifier, and for debit/credit cards, the last four numbers and expiration date. With this data, KYYTI can charge the card on behalf of the customer.

Data provided by the user on the ordered trips and services. We collect the address and time of departure and arrival, the number of passengers, luggage information and other potential additional data the user provides when ordering transport services in the Kyyti application. When the user is buying a service in the Kyyti application that is only available to a certain group of users, we will also collect data from the user that shows that he or she belongs to this group (e.g. employee identification number, place of residence, the customer number related to this service).

The feedback and inquiries sent by the user to the KYYTI customer service. Users can send their feedback and questions to KYYTI at [email protected] as well as through the application’s customer service and through the chat on the website support.kyyti.com. The messages we receive from each user will be saved individually in our customer management system. The messages sent through the KYYTI Facebook page will also be saved in the same system.

The answers the user provides to KYYTI customer surveys on using the services, feedback and travel behaviour. KYYTI or the service providers authorised by KYYTI may conduct customer surveys to collect data on using the service, its usability and changes in travel behaviour. In connection with these, other background information may also be requested from the user, such as sex, age, place of residence and car ownership.

OTHER SOURCES OF PERSONAL DATA ON THE USERS

KYYTI or the third parties it has authorised also collect user data automatically when the user is using the Kyyti application or services. Third parties are system suppliers and subcontractors used by KYYTI, with whom KYYTI has a contract on processing data. In addition, KYYTI may receive personal data from other service providers and business customers.

The data KYYTI collects regarding the ordered trips and services. Regarding the orders the user places through the Kyyti application, we collect the names of the service providers and products, the number of orders, the number of trips, payments, the identifiers granting travel rights (e.g. ticket number) and the order numbers.

The location data collected by KYYTI or third parties. KYYTI and the subcontractors it uses (e.g. system suppliers) collect and process the user’s location data to help the Kyyti application offer him or her suitable transport services and to identify the departure address automatically. Location data may be saved locally on the user’s device (cache). When placing the order, the coordinates of the address the user has provided will be saved in the database so that the delivery data can be included in the purchase receipt and accessed when the customer wishes to do so.

Data on using the Kyyti application collected by KYYTI or third parties. KYYTI or the subcontractors it uses (e.g. system suppliers) may collect and process technical data on using the Kyyti application. Technical user information may include the device type, the length of the visit, any action taken in the application, the length and date, the URL addresses of the referral pages from which the user has entered our application or to which he or she moves to from the application, information regarding the browsing manner, IP address, operating system and other corresponding technical information.

The personal data that KYYTI receives from service providers or business customers. KYYTI may also receive personal data relating to the clients of the service providers whose services are sold in the Kyyti application, or employees or members of the business customers, if the data is needed for granting access to the services.

The cookies collected by KYYTI or third parties. KYYTI uses cookies on its websites to implement its online order services. The main purpose of the cookies is to keep the user identified in between visiting pages. The user can block the cookies from being saved on his or her device completely or partly (for example third party cookies) in the data protection settings of the browser. Please note that when doing this, some features of the service may not function correctly. For example, you always need to log in to the application when opening it.

THE PURPOSE OF THE PROCESSING OF PERSONAL DATA

KYYTI uses your personal data so that we can carry out the following:

To provide and supply you with our own and our partners’ services. We process your personal data primarily to be able to provide services and products to you and to fulfil our obligations based on contractual relationships with you and our partners. We process data, for example, to manage, administer and develop access rights, customer relationships and the service. Data from the register is processed to help individualise KYYTI’s and our partners’ services and to ensure the data protection of their processing of personal data, to investigate system failures as well as possible abuse and security breaches. The data shall also be used to determine how much the services have been used and to monitor the expenses and their division. Personal data will also be used to process your payments and possible refunds and to give our partners the necessary information to deliver your order.

To provide you with customer support in using the services. If you contact our customer service, we use the data provided by you and collected by us to answer your questions and to solve your potential problems and claims.

To provide you with essential guidance and information on using the service. We process your personal data to inform you about the essential guidelines of and changes to our and our partners’ services that affect the possibilities of using the services.

To develop the service and improve it for you and other users. We may process your data to improve the quality of our services, for example, by analysing the use of our services. For this purpose, we strive to use anonymous data, from which the individual cannot be identified.

To conduct customer surveys. To ensure that our services and products are up to your expectations, the data you have provided may, with your consent, be used for customer satisfaction surveys, among others. Filling our customer surveys is always voluntary, and in connection with the survey you will be informed of how the collected information will be used.

To invite you and other users to interviews and workshops. We may conduct surveys to invite people to interviews and workshops, with the purpose of developing the service. In these surveys we will collect the respondents’ e-mail address and/or phone number so that we can contact you to set a time for an interview or workshop. In addition, we may later send information of the service that was the subject of the interview and workshop to those that answered the survey (e.g. when it is published). Answering surveys is always voluntary, and in connection with the survey, the user shall be informed of how the collected data is used.

To send you marketing messages about KYYTI services and the transport services sold in the Kyyti application. With your consent, we may use your data to send you KYYTI newsletters or other marketing messages that are related to the services that are sold in the Kyyti application.

To offer other operators the possibility to market their services to you. With your consent, we may also pass on your data for targeted advertising by other operators.

TRANSFERS AND DISCLOSURES OF PERSONAL DATA

KYYTI may transfer or disclose your data to the following recipients:

To service providers, whose services the user has purchased in the Kyyti application. The amount of data to be transferred varies according to the service providers’ requirements and products. For example, when a product is only offered to a certain customer group, more data needs to be transferred than when the product is available to everyone. When placing the order, the customer will be informed which service provider’s service he or she is ordering. To order and use the service in question, it is necessary to approve the transferring of data to the service provider in question. Data is transferred only to the extent necessary to implement the service.

To business customers, whose employees, clients or members can buy services tailored to their own group in the Kyyti application. Data required by these business customers will be transferred to them. When placing an order, the user is informed if the service has been tailored to the employees, clients or members of a business customer, and the user must approve the transfer of data to the business customer in question to order and use the service.

To transport companies who deliver Kyyti transport service to the users. The transport companies need data to be able to identify the user and his or her travel rights and contact them should any problems arise. Transferring data to these operators is required when using the Kyyti transport service.

To transport optimisation services, with which the trip orders are routed and dispatched to the drivers of the transport companies. Transferring data to these operators is required to use the Kyyti transport service.

To payment operators who charge the user for the services they have purchased in the Kyyti application. Transferring the information to these operators is required to purchase services in the Kyyti application.

To ticket or travel rights management system providers used by transport service providers, through which the user will receive the ticket or identifier to prove his or her travel right. Transferring data to these operators is required to purchase services from service providers using the systems in question in the Kyyti application.

To authorities, to whom KYYTI has an obligation to report. Transferring data to these actors is required to purchase services in the Kyyti application.

To cloud service providers, from whom KYYTI obtains software and information system services to sustain the Kyyti application and services. Transferring data to these operators is required to purchase services in the Kyyti application.

To a third party involved in re-organising the business, if KYYTI is a party in a merger, an asset deal or other transaction/corporate acquisition. In a situation like this, we may transfer your data to a third party. However, we guarantee the confidentiality of your personal data, and we shall notify users prior to transferring the data or before the applicable Privacy Policy is changed. The user has the possibility to request erasure of the data before it is transferred due to business reorganisation.

TRANSFERS AND DISCLOSURES OF PERSONAL DATA TO THIRD COUNTRIES

Personal data shall not be transferred to be processed in countries outside the European Union or the European Economic Area. However, personal data may be transferred to be processed by KYYTI’s partners in such third countries, whose data protection level the European Commission has declared sufficient.

THE STORAGE PERIOD OF THE PERSONAL DATA

Personal data shall be stored for a year at most from the last time that the user has used the application, except for the data that can be seen on the receipt for ordered trips and services (incl. address information), which will be stored for at least six years from the end of the year when the receipt has been given due to accounting legislation. The answers that the users have provided to customer surveys shall be retained for five years.

PROTECTING PERSONAL DATA

The personal data register is protected by the appropriate technical and administrative means. Only persons specifically appointed by KYYTI or KYYTI’s employees shall process the personal data. Access to the system is restricted and the register is protected with a firewall and access management.

THE RIGHTS OF DATA SUBJECTS

Access to data and the right of inspection. The user holds the right to request access to the data stored in the register concerning him or her for free once a year. An informal request shall be sent in writing to the above-mentioned data protection officer. The request shall include necessary identifiers so that the data can be retrieved from the system. Such information is the e-mail address that the user registered in the service with. We also need to know whether the user allows the data to be sent by e-mail. KYYTI will send the data only to the e-mail address that is stored in the service.

Rectification or erasure of data. Users can correct their basic data themselves by logging into the service and accessing their account information. For other data, the customer may deliver an informal request for rectification to the above-mentioned data protection officer. Similarly, the user may send the data protection officer a request for a complete erasure of their data. The user has the right to demand the erasure of personal data concerning him- or herself, if the personal data is no longer needed for the purposes for which it was collected, or if the data subject cancels his or her consent to the processing of his or her personal data, and there is no other legal ground to process the data. The request for rectification or erasure shall include the necessary identifiers, with which the information may be retrieved from the system. Such information is the e-mail address that the user registered in the service with.

Restricting or objecting the processing of data. The user may restrict and object the processing of data concerning him- or herself. In the account information, the user may restrict or prohibit the processing of his or her data for marketing reasons (e.g. newsletters) or for advertising reasons without this affecting the right to use the services. If the user wishes to restrict the processing of such data that is needed to provide the services, the user cannot continue using the services.

Transferring the data to another system. The data subject has the right to obtain the personal data which he or she has provided to KYYTI him- or herself, and the right to transfer this data to another controller.

Filing a complaint to the supervisory authority. The user holds the right to file a complaint if he or she considers that his or her rights based on the data protection regulation have been offended.

AUTOMATIC DECISION MAKING

When offering the user its own and its partners’ services, KYYTI will select and organise the offered services in a presumably suitable form based on the user’s previous choices and behaviour. This happens automatically, and while doing this, KYYTI will not share any user data that might affect the users.

The legal basis of the processing of personal data is the consent given by the user. By accepting KYYTI’s Terms of Use and Privacy Policy when registering, the user provides his or her consent to the processing of their personal data in the way specified in the Privacy Policy. KYYTI stores the consent, which the user may withdraw if necessary. However, withdrawing the consent will lead to the user no longer being able to use KYYTI services. When a user withdraws his or her consent, KYYTI will remove his or her personal data except for the data on the receipts for ordered trips and services (including address), which KYYTI will retain in the above-mentioned manner due to the accounting legislation.

CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be updated. You can find the up-to-date version on our website www.kyyti.com. We shall not make significant changes to this Privacy Policy or reduce your rights without first providing notice of these changes.