Version 17 April, 2020
Kyyti Group Ltd. (“KYYTI”)
Business ID: 2801779-5
Address: Fredrikinkatu 47, FI-00180 Helsinki
E-mail address: [email protected]
Data protection officer: Pekka Niskanen, [email protected]
LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA
The legal grounds for the processing of personal data are the agreement between the controller and the data subject in accordance with the European Union’s General Data Protection Regulation, the legitimate interests of KYYTI based on its customer relationship obligations, and KYYTI’s statutory obligations. Legal grounds have been specified for each purpose for which data is processed. Wherever the grounds for processing are a legitimate interest, such an interest has been identified, and the data subject may send KYYTI an informal email requesting additional information in which the interest is assessed in relation to the data subject’s rights.
THE PERSONAL DATA PROVIDED BY THE USERS
User data is primarily collected from the users as they register for KYYTI’S applications and place orders.
The basic data provided by the user. We may collect the user’s name, e-mail address and phone number.
Payment method data provided by the user. If the user purchases services from KYYTI’s applications, we will collect data on the type of payment method used (e.g. debit or credit card, Apple Pay). Data on a specific payment method (e.g. debit or credit card number, the card holder’s name, expiration date, CVC code) is collected by our payment operator. KYYTI will only receive an identifier, and for debit/credit cards, the last four numbers and expiration date. With this data, KYYTI can charge the card on behalf of the customer.
Data provided by the user on the ordered trips and services. We collect the address and time of departure and arrival, the number of passengers, luggage information and other potential additional data the user provides when ordering transport services in KYYTI’s applications. When the user is buying a service in KYYTI’s applications that is only available to a certain group of users, we will also collect data from the user that shows that he or she belongs to this group (e.g. employee identification number, place of residence, the customer number related to this service).
The feedback and inquiries sent by the user to the KYYTI customer service. Users can send their feedback and questions to KYYTI at [email protected] as well as through the applications’ customer service and through the chat on the website support.kyyti.com. The messages we receive from each user will be saved individually in our customer management system. The messages sent through the KYYTI Facebook page will also be saved in the same system.
The answers the user provides to KYYTI customer surveys on using the services, feedback and travel behaviour. KYYTI or the service providers authorised by KYYTI may conduct customer surveys to collect data on using the service, its usability and changes in travel behaviour. In connection with these, other background information may also be requested from the user, such as sex, age, place of residence and car ownership.
OTHER SOURCES OF PERSONAL DATA ON THE USERS
KYYTI or the third parties it has authorised also collect user data automatically when the user is using KYYTI’s applications or services. Third parties are system suppliers and subcontractors used by KYYTI, with whom KYYTI has a contract on processing data. In addition, KYYTI may receive personal data from other service providers and business customers.
The data KYYTI collects regarding the ordered trips and services. Regarding the orders the user places through KYYTI’s applications, we collect the names of the service providers and products, the number of orders, the number of trips, payments, the identifiers granting travel rights (e.g. ticket number) and the order numbers.
The location data collected by KYYTI or third parties. KYYTI and the subcontractors it uses (e.g. system suppliers) collect and process the user’s location data to help KYYTI’s applications offer him or her suitable transport services and to identify the departure address automatically. Location data may be saved locally on the user’s device (cache). When placing the order, the coordinates of the address the user has provided will be saved in the database so that the delivery data can be included in the purchase receipt and accessed when the customer wishes to do so.
Data on using KYYTI’s applications collected by KYYTI or third parties. KYYTI or the subcontractors it uses (e.g. system suppliers) may collect and process technical data on using KYYTI’s applications. Technical user information may include the device type, the length of the visit, any action taken in the application, the length and date, the URL addresses of the referral pages from which the user has entered our application or to which he or she moves to from the application, information regarding the browsing manner, IP address, operating system and other corresponding technical information.
The personal data that KYYTI receives from service providers or business customers. KYYTI may also receive personal data relating to the clients of the service providers whose services are sold in KYYTI’s applications, or employees or members of the business customers, if the data is needed for granting access to the services.
PURPOSE OF AND GROUNDS FOR THE PROCESSING OF PERSONAL DATA
KYYTI uses your personal data so that we can carry out the following:
To provide and supply you with our own and our partners’ services. We process your personal data primarily to be able to provide services and products to you and to fulfill our obligations based on contractual relationships with you and our partners. We process data, for example, to manage, administer and develop access rights, customer relationships and the service. Data from the register is processed to help individualise KYYTI’s and our partners’ services and to ensure the data protection of their processing of personal data, to investigate system failures as well as possible abuse and security breaches. The data shall also be used to determine how much the services have been used and to monitor the expenses and their division. Personal data will also be used to process your payments and possible refunds and to give our partners the necessary information to deliver your order. The processing of personal data is based on an agreement.
To provide you with customer support in using the services. If you contact our customer service, we use the data provided by you and collected by us to answer your questions and to solve your potential problems and claims. Processing is based on a legitimate interest in providing customer service and developing the customer experience and service.
To provide you with essential guidance and information on using the service. We process your personal data to inform you about the essential guidelines of and changes to our and our partners’ services that affect the possibilities of using the services. Processing is based on a legitimate interest in providing information about the use of the service and improving its usability.
To develop the service and improve it for you and other users. We may process your data to improve the quality of our services, for example, by analysing the use of our services. For this purpose, we strive to use anonymous data, from which the individual cannot be identified. The grounds for processing are a legitimate interest in developing the service.
To conduct customer surveys. To ensure that our services and products are up to your expectations, the data you have provided through customer surveys may be used for developing the service. Filling our customer surveys is always voluntary, and in connection with the survey you will be informed of how the collected information will be used. The grounds for processing are a legitimate interest in developing the service.
To invite you and other users to interviews and workshops. We may conduct surveys to invite people to interviews and workshops, with the purpose of developing the service. In these surveys we will collect the respondents’ e-mail address and/or phone number so that we can contact you to set a time for an interview or workshop. In addition, we may later send information of the service that was the subject of the interview and workshop to those that answered the survey (e.g. when it is published). Answering surveys is always voluntary, and in connection with the survey, the user shall be informed of how the collected data is used. The grounds for processing are a legitimate interest in developing the service.
To send you marketing messages about KYYTI services and the transport services sold in KYYTI’S applications. We may use your data to send you KYYTI newsletters or other marketing messages that are related to the services that are sold in KYYTI’s applications. We use your previous data regarding orders and use of the service in order to provide you with more-tailored services. You have the right to object to direct marketing by contacting KYYTI. The grounds for processing are a legitimate interest in marketing to the service provider’s own customers.
To comply with our legal obligations. KYYTI stores order-related data in accordance with accounting legislation. We may also process your data at the request of the authorities. We only do so to the extent required by law. Such processing is based on a legal obligation.
TRANSFERS AND DISCLOSURES OF PERSONAL DATA
KYYTI may transfer or disclose your data to the following recipients:
To service providers, whose services the user has purchased in KYYTI’s applications. The amount of data to be transferred varies according to the service providers’ requirements and products. For example, when a product is only offered to a certain customer group, more data needs to be transferred than when the product is available to everyone. When placing the order, the customer will be informed which service provider’s service he or she is ordering. To order and use the service in question, it is necessary to approve the transferring of data to the service provider in question. Data is transferred only to the extent necessary to implement the service.
To business customers, whose employees, clients or members can buy services tailored to their own group in KYYTI’s applications. Data required by these business customers will be transferred to them. When placing an order, the user is informed if the service has been tailored to the employees, clients or members of a business customer, and the user must approve the transfer of data to the business customer in question to order and use the service.
To transport companies who deliver services offered in KYYTI’s applications to the users. The transport companies need data to be able to identify the user and his or her travel rights and contact them should any problems arise. Transferring data to these operators is required when using services offered in KYYTI’s applications.
To transport optimisation services, with which the trip orders are routed and dispatched to the drivers of the transport companies. Transferring data to these operators is required to use transport services sold in KYYTI’s applications.
To payment operators who charge the user for the services they have purchased in KYYTI’s applications. Transferring the information to these operators is required to purchase services in KYYTI’s applications.
To ticket or travel rights management system providers used by transport service providers, through which the user will receive the ticket or identifier to prove his or her travel right. Transferring data to these operators is required to purchase services from service providers using the systems in question in KYYTI’s applications.
To authorities, to whom KYYTI has an obligation to report. Transferring data to these actors is required to purchase services in KYYTI’s applications.
To cloud service providers, from whom KYYTI obtains software and information system services to sustain KYYTI’s applications and services. Transferring data to these operators is required to purchase services in KYYTI’s applications.
TRANSFERS AND DISCLOSURES OF PERSONAL DATA TO THIRD COUNTRIES
Personal data shall not be transferred to be processed in countries outside the European Union or the European Economic Area. However, personal data may be transferred to be processed by KYYTI’s partners in such third countries, whose data protection level the European Commission has declared sufficient. This applies to the storage of data in the cloud by subcontractors of KYYTI. An up-to-date list of such countries can be found on the Commission’s website.
THE STORAGE PERIOD OF THE PERSONAL DATA
Personal data shall be stored for a year at most from the last time that the user has used the application, except for the data that can be seen on the receipt for ordered trips and services (incl. address information), which will be stored for at least six years from the end of the year when the receipt has been given due to accounting legislation. The answers that the users have provided to customer surveys shall be retained for five years.
PROTECTING PERSONAL DATA
The personal data register is protected by the appropriate technical and administrative means. Only persons specifically appointed by KYYTI or KYYTI’s employees shall process the personal data. Access to the system is restricted and the register is protected with a firewall and access management. The commitment of subcontractors to data protection is secured by agreements.
THE RIGHTS OF DATA SUBJECTS
Access to data and the right of inspection. The user holds the right to request access to the data stored in the register concerning him or her for free once a year. An informal request shall be sent in writing to the above-mentioned data protection officer. The request shall include necessary identifiers so that the data can be retrieved from the system. Such information is the e-mail address that the user registered in the service with. We also need to know whether the user allows the data to be sent by e-mail. KYYTI will send the data only to the e-mail address that is stored in the service. If the user would like the data in non-electronic format, this must be stated separately.
Rectification or erasure of data. Users can correct their basic data themselves by logging into the service and accessing their account information. For other data, the customer may deliver an informal request for rectification to the above-mentioned data protection officer. Similarly, the user may send the data protection officer a request for a complete erasure of their data. The user has the right to demand the erasure of personal data concerning him- or herself, if the personal data is no longer needed for the purposes for which it was collected and there is no other legal ground to process the data. The request for rectification or erasure shall include the necessary identifiers, with which the information may be retrieved from the system. Such information is the e-mail address that the user registered in the service with.
Restricting or objecting the processing of data. The user may restrict and object the processing of data concerning him- or herself. In the account information, the user may restrict or prohibit the processing of his or her data for marketing reasons (e.g. newsletters) or for advertising reasons without this affecting the right to use the services. If the user wishes to restrict the processing of such data that is needed to provide the services, the user cannot continue using the services.
Transferring the data to another system. The data subject has the right to obtain the personal data which he or she has provided to KYYTI him- or herself, and the right to transfer this data to another controller.
Filing a complaint to the supervisory authority. The user holds the right to file a complaint if he or she considers that his or her rights based on the data protection regulation have been offended.
AUTOMATIC DECISION MAKING
When offering the user its own and its partners’ services, KYYTI will select and organise the offered services in a presumably suitable form based on the user’s previous choices and behaviour. This happens automatically, and while doing this, KYYTI will not share any user data that might affect the users. This processing does not affect services other than those provided for the user. The user has the right to receive additional information about the profile created by an automated system from the user’s data.