Version 8 February, 2019

GENERAL INFORMATION

This is the Privacy Policy of Kyyti Operointi Ltd. and when applicable, it also concerns other companies belonging to the same corporation, who may participate in the processing of the personal data that has been collected. This Privacy Policy shall provide the information required in articles 13 and 14 in the General Data Protection Regulation of the European Union (2016/679). Kyyti Operointi Ltd. or the companies belonging to the same corporation collect personal data from the users of the Kyyti application and the Kyyti transport service. This Privacy Policy explains what type of personal data we collect, how we process personal data and how you can exercise your rights regarding the processing of personal data. Kyyti Operointi Ltd. shall process personal data according to the legislation in force.

This Privacy Policy may be updated and you will find the up-to-date version on our web page www.kyyti.com. This Privacy Policy concerns both the processing of personal data by Kyyti Operointi Ltd., as well as processing by such third parties who take part in processing the personal data collected by Kyyti Operointi Ltd.

CONTROLLER

Kyyti Operointi Ltd. (“KYYTI”)

Business ID: 2801777-9

Address: Fredrikinkatu 47, FI-00100 Helsinki

E-mail address: [email protected]

Website: www.kyyti.com

Data protection officer: Pekka Niskanen, [email protected]

The legal bases for the processing of personal data are the fulfilment of a contract between the data controller and the data subject, the legitimate interests of Kyyti, and fulfilment of legal obligations, as defined in the General Data Protection Regulation of the European Union. The applicable legal basis is identified in connection with each purpose for processing. Where the legal basis is legitimate interests, the relevant interest is identified and the data subject has the right to request additional information regarding the assessment of this interest in relation to the rights of the data subject.

PERSONAL DATA PROVIDED BY USERS

User data is primarily collected from the users as they register for the Kyyti application and place orders.

The basic data provided by the user. We may collect the user’s name, e-mail address

and phone number.

Payment method data provided by the user. If the user purchases services from the Kyyti application, we will collect data on the type of payment method used (e.g. debit or credit card, Apple Pay). Data on a specific payment method (e.g. debit or credit card number, the card holder’s name, expiration date, CVC code) is collected by our payment operator. KYYTI will only receive an identifier, and for debit/credit cards, the last four numbers and expiration date. With this data, KYYTI can charge the card on behalf of the customer.

Data provided by the user on the ordered trips and services. We collect the address and time of departure and arrival, the number of passengers, luggage information and other potential additional data the user provides when ordering transport services in the Kyyti application. When the user is buying a service in the Kyyti application that is only available to a certain group of users, we will also collect data from the user that shows that he or she belongs to this group (e.g. employee identification number, place of residence, the customer number related to this service).

The feedback and inquiries sent by the user to the KYYTI customer service. Users can send their feedback and questions to KYYTI at [email protected] as well as through the application’s customer service and through the chat on the website support.kyyti.com. The messages we receive from each user will be saved individually in our customer management system. The messages sent through the KYYTI Facebook page will also be saved in the same system.

The answers the user provides to KYYTI customer surveys on using the services, feedback and travel behaviour. KYYTI or the service providers authorised by KYYTI may conduct customer surveys to collect data on using the service, its usability and changes in travel behaviour. In connection with these, other background information may also be requested from the user, such as sex, age, place of residence and car ownership.

OTHER SOURCES OF USERS’ PERSONAL DATA

KYYTI or the third parties it has authorised also collect user data automatically when the user is using the Kyyti application or services. Third parties are system suppliers and subcontractors used by KYYTI, with whom KYYTI has a contract on processing data. In addition, KYYTI may receive personal data from other service providers and business customers.

The data KYYTI collects regarding the ordered trips and services. Regarding the orders the user places through the Kyyti application, we collect the names of the service providers and products, the number of orders, the number of trips, payments, the identifiers granting travel rights (e.g. ticket number) and the order numbers.

The location data collected by KYYTI or third parties. KYYTI and the subcontractors it uses (e.g. system suppliers) collect and process the user’s location data to help the Kyyti application offer him or her suitable transport services and to identify the departure address automatically. Location data may be saved locally on the user’s device (cache). When placing the order, the coordinates of the address the user has provided will be saved in the database so that the delivery data can be included in the purchase receipt and accessed when the customer wishes to do so.

Data on using the Kyyti application collected by KYYTI or third parties.

KYYTI or the subcontractors it uses (e.g. system suppliers) may collect and process technical data on using the Kyyti application. Technical user information may include the device type, the length of the visit, any action taken in the application, the length and date, the URL addresses of the referral pages from which the user has entered our application or to which he or she moves to from the application, information regarding the browsing manner, IP address, operating system and other corresponding technical information.

The personal data that KYYTI receives from service providers or business customers. KYYTI may also receive personal data relating to the clients of the service providers whose services are sold in the Kyyti application, or employees or members of the business customers, if the data is needed for granting access to the services.

The cookies collected by KYYTI or third parties. KYYTI uses cookies on its websites to implement its online order services. The main purpose of the cookies is to keep the user identified in between visiting pages. The user can block the cookies from being saved on his or her device completely or partly (for example third party cookies) in the data protection settings of the browser. Please note that when doing this, some features of the service may not function correctly. For example, you always need to log in to the application when opening it.

KYYTI uses your personal data so that we can carry out the following:

To provide and supply you with our own and our partners’ services. We process your personal data primarily to be able to provide services and products to you and to fulfil our obligations based on contractual relationships with you and our partners. We process data, for example, to manage, administer and develop access rights, customer relationships and the service. Data from the register is processed to help individualise KYYTI’s and our partners’ services and to ensure the data protection of their processing of personal data, to investigate system failures as well as possible abuse and security breaches. The data shall also be used to determine how much the services have been used and to monitor the expenses and their division. Personal data will also be used to process your payments and possible refunds and to give our partners the necessary information to deliver your order. This processing is based on the contract between the data controller and the data subject.

To provide you with customer support in using the services. If you contact our customer service, we use the data provided by you and collected by us to answer your questions and to solve your potential problems and claims. This processing is based on the legitimate interest in providing customer support and developing the service.

To provide you with essential guidance and information on using the service. We process your personal data to inform you about the essential guidelines of and changes to our and our partners’ services that affect the possibilities of using the services. This processing is based on the legitimate interest in providing customers information relating to the use of the service and improving the customer experience.

To develop the service and improve it for you and other users. We may process your data to improve the quality of our services, for example, by analysing the use of our services. For this purpose, we strive to use anonymous data, from which the individual cannot be identified. This processing is based on the legitimate interest in improving the service.

To conduct customer surveys. To ensure that our services and products are up to your expectations, the data you have provided while submitting customer feedback may be used for customer satisfaction surveys. Filling in our customer surveys is always voluntary, and in connection with the survey you will be informed of how the collected information will be used. This processing is based on the legitimate interest in developing the service.

To invite you and other users to interviews and workshops. We may conduct surveys to invite people to interviews and workshops, with the purpose of developing the service. In these surveys we will collect the respondents’ e-mail address and/or phone number so that we can contact you to set a time for an interview or workshop. In addition, we may later send information of the service that was the subject of the interview and workshop to those that answered the survey (e.g. when it is published). Answering surveys is always voluntary, and in connection with the survey, the user shall be informed of how the collected data is used. This processing is based on the legitimate interest in developing the service.

To send you marketing messages about KYYTI services and the transport services sold in the Kyyti application. We may use your data to send you KYYTI newsletters or other marketing messages that are related to the services that are sold in the Kyyti application. We use your previous purchase and app usage history in order to offer you more suitable services. You have a right to object to direct marketing by contacting Kyyti. This processing is based on the legitimate interest in marketing to one’s existing customers.

To fulfil our legal obligations. Kyyti will retain data on your purchases and orders pursuant to accounting legislation. We may also be compelled to process your data by authorities. This is only done insofar as is required by law. This processing is based on a legal obligation.

TRANSFERS AND DISCLOSURES OF PERSONAL DATA

KYYTI may transfer or disclose your data to the following recipients:

To service providers, whose services the user has purchased in the Kyyti application. The amount of data to be transferred varies according to the service providers’ requirements and products. For example, when a product is only offered to a certain customer group, more data needs to be transferred than when the product is available to everyone. When placing the order, the customer will be informed which service provider’s service he or she is ordering. To order and use the service in question, it is necessary to approve the transferring of data to the service provider in question. Data is transferred only to the extent necessary to implement the service.

To business customers, whose employees, clients or members can buy services tailored to their own group in the Kyyti application. Data required by these business customers will be transferred to them. When placing an order, the user is informed if the service has been tailored to the employees, clients or members of a business customer, and the user must approve the transfer of data to the business customer in question to order and use the service.

To transport companies who deliver Kyyti transport service to the users. The transport companies need data to be able to identify the user and his or her travel rights and contact them should any problems arise. Transferring data to these operators is required when using the Kyyti transport service.

To transport optimisation services, with which the trip orders are routed and dispatched to the drivers of the transport companies. Transferring data to these operators is required to use the Kyyti transport service.

To payment operators who charge the user for the services they have purchased in the Kyyti application. Transferring the information to these operators is required to purchase services in the Kyyti application.

To ticket or travel rights management system providers used by transport service providers, through which the user will receive the ticket or identifier to prove his or her travel right. Transferring data to these operators is required to purchase services from service providers using the systems in question in the Kyyti application.

To authorities, to whom KYYTI has an obligation to report. Transferring data to these actors is required to purchase services in the Kyyti application.

To cloud service providers, from whom KYYTI obtains software and information system services to sustain the Kyyti application and services. Transferring data to these operators is required to purchase services in the Kyyti application.

To a third party involved in re-organising the business, if KYYTI is a party in a merger, an asset deal or other transaction/corporate acquisition. In a situation like this, we may transfer your data to a third party. However, we guarantee the confidentiality of your personal data, and we shall notify users prior to transferring the data or before the applicable Privacy Policy is changed. The user has the possibility to request erasure of the data before it is transferred due to business reorganisation.

TRANSFERS AND DISCLOSURES OF PERSONAL DATA TO THIRD COUNTRIES

Personal data shall not be transferred to countries outside the European Union or the European Economic Area. However, personal data may be transferred to be processed by KYYTI’s partners in third countries whose data protection level the European Commission has declared sufficient. This applies to the storage of data in cloud computing services by our subcontractors. An up-to-date list of such third countries can be found on the website of the European Commission.

STORAGE PERIOD OF PERSONAL DATA

Personal data shall be stored for a year at most from the last time that the user has used the application, except for the data that can be seen on the receipt for ordered trips and services (incl. address information), which will be stored for at least six years from the end of the year when the receipt has been given pursuant to accounting legislation. The answers that the users have provided to customer surveys shall be retained for five years.

DATA SECURITY

The personal data registry is protected by the appropriate technical and administrative means. Only persons specifically appointed by KYYTI or KYYTI’s employees shall process the personal data. Access to the system is restricted and the registry is protected with a firewall and access management.

THE RIGHTS OF DATA SUBJECTS

Access to data and the right of inspection. The user has the right to request access to the data stored in the register concerning him or her for free once a year. This is done by an informal request sent in written form to the aforementioned data protection officer. The request shall include necessary identifiers so that the data can be retrieved from the system. This is typically the e-mail address that the user registered into the service. We also need to know whether the user allows the data to be sent by e-mail. KYYTI will send the data only to the e-mail address that is stored in the service. If you want the data in another, non-electronic format, such a request has to be made separately by contacting KYYTI.

Rectification or erasure of data. Users can correct their basic data themselves by logging into the service and accessing their account information. For other data, the customer may deliver an informal request for rectification to the above-mentioned data protection officer. Similarly, the user may send the data protection officer a request for the complete erasure of their data. The user has the right to demand the erasure of personal data concerning him- or herself, if the personal data is no longer needed for the purposes for which it was collected, and there is no other legal ground for processing the data. The request for rectification or erasure shall include the necessary identifiers, with which the information may be retrieved from the system. This is typically the e-mail address that the user registered into the service.

Restricting or objecting to the processing of data. The user may restrict and object to the processing of data concerning him- or herself. In the account information, the user may restrict or prohibit the processing of his or her data for marketing reasons (e.g. newsletters) or for advertising reasons without this affecting the right to use the services. If the user wishes to restrict the processing of data that is necessary in order to provide the services, the user cannot continue using the services.

Transferring the data to another system. The data subject has the right to obtain the personal data which he or she has provided to KYYTI him- or herself, and the right to transfer this data to another controller.

Filing a complaint to the supervisory authority. The user holds the right to file a complaint if he or she considers that his or her rights based on the data protection regulation have been infringed.

AUTOMATIC DECISION MAKING

When offering the user its own and its partners’ services, KYYTI will select and organise the offered services in a presumably suitable form based on the user’s previous choices and behaviour. This happens automatically, and while doing this, KYYTI will not share any user data that might affect the users. This processing only affects the services offered to the user. The user has the right to receive additional information concerning the profile pertaining to their personal data as a result of automated processing.

CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be updated. You can find the up-to-date version on our website www.kyyti.com. We shall not make significant changes to this Privacy Policy or reduce your rights without first providing notice of these changes.