Privacy Policy "Passenger"

Privacy Policy “Passenger”

UK

 

Privacy notices for passengers in accordance with the EU's General Data Protection Regulation ('GDPR')

Information as of May 2018

The information we have provided below gives you an overview of our approach to processing your personal data and your rights under the provisions of data protection legislation in connection with the use of our ride-hailing app for passengers ('mytaxi Passenger App').

The personal data processed depends largely on the services or products you use in any given case.

 

Classification

 

1. Data controller and contact

2. Processing purposes and data categories

3. Provider of processing services and processing in countries outside the European Economic Area

4. Your rights

5. Data security

6. Storage period

 

1. Information on the data controller

Data controller under Article 4(7) GDPR for passengers in the territory of the United Kingdom:

mytaxi Network Ltd. ('mytaxi')

Harling House

Great Suffolk Street

London SE1 0BS

 

Email address: uk.support@mytaxi.com

The easiest way to reach our data protection officer is by sending an email to uk.support@mytaxi.com or writing to the above address.

 

2. Processing purposes and data categories

We aim to inform you about the various types of personal data we process and the purposes for which we do this below.

 

2.1 Ride-hailing

The mytaxi Passenger App enables you to hail a ride in a taxi with a taxi driver ('driver') through us. You must provide personal data to use our mytaxi Passenger App for ride-hailing, which we process to provide the given service. Additional voluntary information that may also be provided is marked accordingly (optional).

In the context of the hailing service, the following personal data will be processed in accordance with Article 6(1.)(b) GDPR for the performance of the contract:

First and last name, email address and mobile phone number (master data). Your GPS location data at the time of booking, the start and destination coordinates of your ride, information on your terminal equipment (device ID) and the password you have chosen (in encrypted form) are also processed.

Your home address, work address and profile picture are optional and will be processed only if entered.

You either enter the personal data (e.g. your name) at the time of registration or we receive it directly from your terminal equipment (e.g. GPS location data). You approve the transmission of your GPS location data via your terminal equipment's (smartphone, tablet, etc.) operating system. We need the GPS coordinates of your location so that the taxi you have ordered can find and collect you.

We will forward your GPS location data, name and profile picture (if you have provided one) to the driver who has accepted the ride you have booked for identification purposes. The driver can call you after accepting your booking and when mobile via the mytaxi Driver App, where the mobile phone number you provided during registration is displayed. This enables the driver to inform you of any delays, e.g. traffic jams.

After accepting your order, the driver or taxi operator will receive your name and profile picture (if you have provided one) for identification purposes and, in particular, so that she/he/they can determine that the right person is being collected. She/he/they determines this by asking you for your name when you board at the beginning of the ride. The driver cannot see your personal data in her/his mytaxi Driver App after the ride.

It will not be possible for you to hail taxis through us if we do not process the personal data shown above. This does not apply to optional information.

 

2.2 Payment

You can pay for taxi rides hailed through us in cash, by credit card or with the pay-by-app function. The pay-by-app function enables you to pay without cash using the mytaxi Passenger App. We will then debit the amount via your specified means of payment. You can provide the details of your credit card or another source of payment to enable the pay-by-app function. If your credit card details are provided, they will be transmitted directly to the payment service provider engaged by us via an encrypted connection. Our payment service provider then authenticates your means of payment by reserving an amount of GBP 0.50 on your account. This ensures that your means of payment is active. We engage two payment service providers to ensure the payment method we offer is available in the event of one of them being obstructed. Both payment service providers are PCI DSS certified (Payment Card Industry Data Security Standard). Only the first six and last four digits of your credit card are transmitted to us for security reasons and we store them for the purposes of identification and verification.

In the context of payment, the following personal data will be processed in accordance with Article 6(1.)(b) GDPR for the performance of the contract:

First and last name, gender, address, start and destination coordinates of your ride, country, language, email address, mobile phone number, credit card holder's first and last name, credit card issuer, first six and last four digits of the credit card number, credit card's expiry date, and information about your terminal equipment (device ID, etc.).

We cannot offer you certain means of payment if we do not process these personal data. You can still pay in cash or by debit card, however.

 

2.3 Fraud prevention and non-payment

Since mytaxi bears the risk of non-payment in the event that payments made by credit card or the pay-by-app function are not honoured, an assessment of the risk of non-payment is made on the basis of a mathematic-statistical procedure (scoring) after your registration in the app, each time a new means of payment chosen by you is entered, and each time a ride is booked, so as to protect mytaxi's legitimate interests in accordance with Article 6 (1.) (f) and 22(2.)(b) GDPR.

The following personal data are processed to determine the value:

First and last name, initial registration address, billing address (if provided), start and destination coordinates of your ride, mobile phone number, language, country, email address, credit card issuer, last four digits of your credit card number, credit card's expiry date, credit card holder's name, information about your terminal equipment (device ID), and the mytaxi Passenger App version.

The initial registration address is the address from which you first register for the mytaxi Passenger App. The collection of address data, your residential address, in particular, is not intended. However, unintentional use of the address data may occur if your initial registration takes place at your home address, i.e. if you register from at home or if the billing address possibly provided by you is the same as your home address. Using this information, our European fraud prevention agency calculates the statistical probability of non-payment and a decision as to whether you are offered the pay-by-app function in the mytaxi Passenger App is made fully automatically based on that. The billing address and the initial registration address are only used as a component alongside the other personal data discussed above for calculating the score. These personal data are not used or processed otherwise. The app's hailing functionality without the pay-by-app function is available to every user, regardless of score. Accordingly, if you are not offered the pay-by-app function due to the decision made fully automatically based on the score calculated, you may still use the mytaxi Passenger App and make payments either in cash or by debit card. If this is the case, you will be notified by email that the pay-by-app function is not available to you immediately after this decision. Please contact uk.support@mytaxi.com if you do not agree with the decision on implementation of the pay-by-app function. We will then have the decision reviewed by a specially trained employee, taking into account your position.

A specially trained mytaxi employee sometimes makes the final decision on implementation of the pay-by-app function in conjunction with the scoring. Accordingly, the decision is not made fully automatically in such cases.

Regardless of the score calculated fully automatically, we use the personal data listed above for the purposes of non-payment prevention by our own specially trained employees pursuant to Article 6(1.)(f) GDPR. This means that a specially trained employee of mytaxi analyses the data discussed and taking that and available empirical values as a basis can make the final decision as to whether the pay-by-app function is offered to you in the app at her/his own discretion in the event of anomalies. Where appropriate, this employee may also call the driver during a ride and inform her/him about the non-acceptance of a means of payment in such cases. Your personal data are not used otherwise. If you are not offered the pay-by-app function due to our employee's decision, then you may still use the mytaxi Passenger App and make payments either in cash or by debit card. Accordingly, it is noted that you may use the mytaxi Passenger App and our hailing service at any time, even if the pay-by-app function has been disabled.

To protect you against overpaying for taxi rides, the driver's mobile phone transmits GPS location data to us at short intervals during a taxi ride, enabling us to map the entire journey. We do this because we want to ensure the driver does not extend the route intentionally to earn higher remuneration.

If you believe you have paid too much, you may ask us about the route covered after a ride. The processing of your GPS location data takes place for your and our protection against fraudulent drivers and/or passengers on the basis of Article 6(1.)(f) GDPR to protect your and our interests (e.g. protection against overpayments).

 

2.4 Bug fixing, customer services and improvement of functionality

To make it possible to eliminate malfunctions in the mytaxi Passenger App, to answer specific customer inquiries about functionality or the hailing services and to adapt the mytaxi Passenger App to the needs of passengers, the following personal data is processed for the performance of the contract in accordance with Article 6(1.)(b) GDPR:

First and last name, email address, mobile phone number, profile picture (optional entry), your GPS location data at the time of booking, work and home address (optional entry), start and destination coordinates of your ride, and information about your terminal equipment (device ID, Ad-ID), Language, time zone.

If sufficient for the purpose, we work with data rendered anonymous or aggregated data rather than personal data.

 

2.5 a) News and personalised offers

You will receive offers and advertising from us if you have agreed to receive news and personalised offers (advertising, vouchers and promotions) and to the display of usage-based advertising ('retargeting') during the registration process or subsequently in the profile of the mytaxi Passenger App under 'Data protection' and have operated the toggle accordingly. This concerns non-personalised (sent to all customers) and personalised (sent only to you and based on an analysis of the mytaxi Passenger App usage frequency) newsletters sent electronically (email, SMS, MMS, in-app messages, push messages) to your terminal equipment (smartphone, tablet, PC, etc.). To send you personalised advertising, we will process your usage data. Usage data are information about the number of app installations, registrations and taxi rides. Based on this data, you will then receive special offers and advertising from us.

In this context, we will process the following personal data in accordance with Article 6(1.)(a) GDPR:

First and last name, passenger ID, email address, home and/or business address (optional entry), mobile phone number, profile picture (optional entry), payment method, registration date, language set, mytaxi Passenger App profile (business or private customer), type of taxi ride (booking, try-out ride), mytaxi Passenger App version, log-in details, your GPS location data at the time of booking and at the end of the taxi ride, device ID, IDFA (Ad-ID, Apple, identifier for advertisers), IFV (Ad-ID, identifier vendor), GAID (Google advertising identifier), IP address, and usage data (usage frequency, information about the number of app installations, registrations and taxi rides), language, time zone and city.

You confirm that you are 16 years old or older when you give your consent.

If you do not wish to receive the news and personalised offers already discussed, you can – just as easily as when you agreed to it – withdraw your consent by operating the toggle discussed above accordingly. Of course, you can also contact us by sending an email to uk.support@mytaxi.com or informal letter to mytaxi Network Ltd. ('mytaxi'), Harling House, Great Suffolk Street, London SE1 0BS.

Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.

 

2.5 b) Facebook Custom Audiences

In order to be able to display individually targeted advertisements about our services within the Facebook social network, a service of Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, and on Facebook partner sites, we work with Facebook Custom Audiences. We do this so that advertisements (e.g. banners) can be tailored exactly to the possible needs of the customer. The basis of this is a marking process, wherein the Ad-ID (IDFA or GAID) from the customer’s end device (e.g. smartphone) is sent automatically or manually to Facebook via a certain interface with the involvement of a service provider selected by mytaxi. mytaxi then creates a list of customers who have carried out certain actions with the mytaxi Passenger App. Only certain pre-defined actions can be selected (e.g. installation of the mytaxi Passenger App in the last 30 days). Finally, Facebook compares the customers’ Ad-ID with the Ad-ID of people with a Facebook profile, defines certain groups (e.g. group 1: installation in the last 30 days) and displays corresponding advertisements to these groups. Customers who are not also users of Facebook cannot be compared by Facebook and advertising is not displayed to them. In the context of Facebook Custom Audiences, we will process the following data in accordance with Article 6(1.)(a) GDPR: Ad-ID (IDFA from Apple or GAID from Google).

You confirm that you are 16 years old or older when you give your consent.

If you do not wish to receive advertising in the context of Facebook Custom Audiences, you can – just as easily as when you agreed to it – withdraw your consent by operating the toggle discussed above accordingly. Of course, you can also contact us by sending an email to uk.support@mytaxi.com or informal letter to mytaxi Network Ltd. ('mytaxi'), Harling House, Great Suffolk Street, London SE1 0BS.

Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.

 

2.5 c) Newsletter

Once we receive from you for performance of our service your email address or your mobile phone number and you have accomplished a tour using our service, we may use it for electronical direct marketing by email, SMS and MMS as long as you have not revoked to our direct marketing. In this context we process pursuant to Art. 6 (1) f) GDPR the following personal data: e-mail and mobile phone number. You may revoke to direct marketing by clicking on a link at the end of an email (e.g. Opt out from newsletter) or by SMS contact with effect for the future. Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.

 

2.6 Studies and surveys

If you have agreed to receive studies and surveys during the registration process or subsequently in the profile of the mytaxi Passenger App under 'Data protection' and have operated the toggle positioned there accordingly, then we will contact you after a taxi ride or at any other time in the context of non-personalised or personalised (sent only to you and based on an analysis of the mytaxi Passenger App usage frequency) studies and surveys sent electronically (email, SMS, MMS, in-app messages, push messages) and request your participation. To this end, we will process the following personal data pursuant to Article 6(1.)(a) GDPR:

First and last name, passenger ID, email address, home and/or business address (optional entry), mobile phone number, profile picture (optional entry), payment method, registration date, language set, mytaxi Passenger App profile (business or private customer), type of taxi ride (booking, try-out ride), mytaxi Passenger App version, log-in details (user name, not the password), your GPS location data at the time of booking and at the end of the taxi ride, and usage data (usage frequency, information about the number of app installations, registrations and taxi rides), date registered, date las login, push tokens, passenger status, redeemed voucher value sum, total number voucher redeemed, deposited voucher value sum, total number voucher deposited, active number vouchers, total number favorite drivers, number of tours with favorite driver, work address (yes/no), home address (yes/no), gross merchandise value, total number of tours, number of match tours, number of canceled bookings, average rating of tours, ratings, business credit card (yes/no), billing address (yes/no), tip value preference.

You confirm that you are 16 years old or older when you give your consent.

If you do not wish to be contacted, you can – just as easily as when you agreed to it – confirm your withdrawal by operating the toggle discussed above accordingly. Of course, you can also contact us by sending an email to uk.support@mytaxi.com or informal letter to mytaxi Network Ltd. ('mytaxi'), Harling House, Great Suffolk Street, London SE1 0BS.

Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.

 

2.7 Section left blank.

 

2.8 Business account

Rides can also be ordered and invoiced in the form of business trips in accordance with the 'Framework conditions for mytaxi Business Accounts'. If you use the mytaxi Passenger App to book a business trip or decide to pay for a ride as a business trip via a business account at the end of the ride, then the personal data mytaxi collects through the use of the mytaxi Passenger App will be transmitted to the contracting party authorising you to make a business trip for the purpose of processing and charging for the trip ('invoicing data'). If a taxi ride is charged for as a business trip, then data of relevance to invoicing (in particular, first and last name, email address, fare, time, starting point and destination of a taxi ride) will be transmitted to your employer. The data will be transmitted to the extent necessary to settle the cost of the business trip with the business account holder in accordance with Article 6(1.)(b) GDPR.

mytaxi may arrange for external service providers to process invoicing data. In all other respects, the rights and obligations set out in this privacy policy apply to the invoicing data accordingly. In particular, your rights include those set out in point 5 accordingly.

If the user is entitled to settle business trips via a business account belonging to her/his employer, then she/he is obliged to provide accurate information about the nature (private or business) of a trip she/he has made. mytaxi is neither obliged nor in a position technically to determine whether the user's ride is for business or private purposes.

mytaxi shall not be liable for expenses, costs or damages arising from the fact that a user, who a contracting party has granted the option of accounting for a ride as a business trip through that contracting party's business account to, falsely books a ride as – or allows the assumption that it is – a business trip, when it is actually for private purposes.

 

2.9 Facebook Connect

We give you the option of registering for or logging in to the mytaxi Passenger App using your Facebook user data from the Facebook social network, a service of Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ('Facebook'). This requires operation of the Facebook Connect button. For logging in, you will be redirected to a Facebook page, where Facebook will request certain permissions and you can log in using your Facebook user data. This will link your Facebook profile with our mytaxi Passenger App. This link will allow us to view the data you have provided Facebook (first and last name, email address, public profile, age range, gender, profile picture, time zone, Facebook ID). For the purpose of Facebook Connect, we use only your email address, first and last name, profile picture, and Facebook ID for identification purposes in accordance with Article 6(1.)(f) GDPR. At the same time, the type of device (e.g. iPhone), operating system, language, time zone, resolution, app version and the location of your time zone (e.g. Berlin/Europe) are transmitted to Facebook automatically.

See Facebook's data policy and terms of use for more information about Facebook Connect and the privacy settings: http://www.facebook.com/policy.php.

We kindly ask that you refrain from using the Facebook Connect function if this is not in accordance with your wishes.

 

2.10 Google Account

We also give you the option of registering for or logging in to our service with the log-in information for your Google Account with Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ('Google'). For logging in, you will be redirected to a Google page, where Google will request certain permissions and you can log in using your Google credentials. This will link your Google profile with our mytaxi Passenger App. This link will allow us to view the data you have provided Google (first and last name, email address and profile picture). For the purpose of logging in or registering via Google, we use only your email address, first and last name, and profile picture for identification purposes in accordance with Article 6(1.)(f) GDPR. At the same time, the type of device (e.g. iPhone), the email address you have entered in the mytaxi Passenger App and the operating system are transmitted to Google automatically.

See Google's data policy and terms of use at https://policies.google.com/privacy?hl=en for more information about logging in or registering via Google and Google's privacy settings.

We kindly ask that you refrain from using Google Account for logging in or registering if this is not in accordance with your wishes.

 

2.11 Google Maps

The mytaxi Passenger App makes use of the Google Maps API. This enables us to display maps in your mytaxi Passenger App and you to use those maps. Our mytaxi Passenger App cannot function without the Google Maps API. You can view Google's terms of use at https://policies.google.com/terms?hl=en. Additional terms of use for Google Maps are available at https://www.google.com/help/terms_maps.html. Google's privacy policy is available at https://policies.google.com/privacy?hl=en. After you have given your approval via your operating system, we use Google Maps to calculate the estimated fare for your ride and show you the distance of the taxi you have booked interactively. This involves us processing your GPS location data in accordance with Article 6(1.)(b) GDPR. We render your GPS location data anonymous before forwarding it to Google. Identification of you personally is ruled out.

 

2.12 Rating drivers and regular drivers

You can rate drivers and vehicles publicly via the mytaxi Passenger App. When you submit a rating, it is assigned to a specific ride and considered in the average rating of the driver and vehicle in question. It does not involve transmitting personal data to the driver.

You can also enter regular drivers in your mytaxi Passenger App profile. This involves you storing selected drivers in your profile. Personal data are not transmitted to the driver.

2.13 Use of Adjust Technology

We use an analytical tool provided by Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin ("Adjust", www.adjust.com) to learn more about how users use our app. When using the Adjust technology, certain information about the devices used by the users and the page content accessed is collected, processed and used. This applies in particular to information such as:

anonymised (hashed) IP addresses or MAC addresses;

anonymised identifiers, such as the Ad-ID/IDFA (iOS), the Android ID or similar IDs;

Information on installing and using the app;

Interactions with advertisements clicked by the user.

The Adjust technology uses this data to analyse and evaluate the performance of marketing activities to determine how users respond to specific campaigns, how they use and interact with the app. The data described above is not used to individualise individual users or to assign them to a specific person.

Data processing by Adjust is based on the so-called balancing of interests clause in Art. 6(1) lit. f GDPR. As providers of the app, we have a legitimate interest in knowing which of our marketing channels and advertising measures are most efficient and how we can best reach our users. The processed data will not be used to display personalised advertising to you, but merely serves our internal analysis.

If you do not want us to collect this information by the Adjust Technology, please send us an email to: uk.support@mytaxi.com.

 

3. Provider of processing services and processing in countries outside the European Economic Area

In some cases, we arrange for external service providers to process your data (e.g. troubleshooting, creation of mailings). This makes it necessary for us to transmit your personal data to our external service providers for a specified purpose (confined to the purpose in question). We have selected our service providers carefully and commissioned them in writing. They are bound by our instructions and we have obtained information about their technical and organisational measures for the secure processing of personal data. We also require that our service providers comply with the applicable data protection regulations. We work with service providers from the EU and other EEA countries. We have concluded processing contracts with our external service providers in accordance with Article 28(3.) GDPR, EU standard contractual clauses in accordance with Article 28(7.) GDPR or the transmission is based on a decision of the EU Commission in accordance with Article 45 GDPR (e.g. Privacy Shield).

We store all our data with a cloud service provider within the EU or in IT infrastructures and systems (employee computers) at our sites within the EU.

We work with IT service providers that facilitate the ride-hailing services in accordance with point 2.1, as well as the fault elimination, customer services and improvement of functionality in accordance with point 2.3. We also work with payment service providers that facilitate payment processing in accordance with point 2.2. Moreover, we work with a fraud prevention service provider to protect us against non-payment in accordance with point 2.3. If you have agreed to receive news and personalised offers (point 2.5) and to be contacted by us for studies and surveys (point 2.6), then we work with marketing agencies and service providers. Please do not hesitate to contact us at uk.support@mytaxi.com if you would like to know more about the service providers we engage.

We transfer personal data to our parent company Intelligent Apps GmbH, Große Elbstraße 273, 22767 Hamburg, Germany on the basis of an Intercompany Commissioned Data Processing Agreement as there our main IT infrastructure is based (headquarter). 

We do not sell personal data to third parties.

However, we do reserve the right to disclose information about you if we are legally obliged to or if we are required to surrender it by administrative or law enforcement bodies (e.g. police or public prosecutors).

 

4. Your rights

You have the right to request information from us at any time about your personal data we have stored and the origin, recipients or categories of recipients to whom these data are forwarded or otherwise disclosed, the purpose of the storage and processing, the planned storage period, our automated decision-making procedure, the right to data portability, the existence of a right to rectification, erasure, restriction of or objection to processing, and any existing right to lodge a complaint with a supervisory authority.

You also have the right to rectification of incorrect data and, in cases where the legal requirements are met, to blocking and erasure, as well as to restrict the processing of data.

You may also send requests for information, withdrawals of consent, objections and other concerns regarding data processing by email to uk.support@mytaxi.com or to the address stated in the introduction.

 

5. Data security

We have taken appropriate technical and organisational measures to guarantee data security, in particular to protect your personal data against access by third parties, as well as accidental or intentional modification, loss or destruction. Such measures are reviewed periodically and adapted in line with the state of the art. The transfer of your personal data from your terminal equipment (e.g. smartphone) to us is always encrypted. mytaxi is PCI DSS (Payment Card Industry Data Security Standard) certified.

 

6. Storage period

In principle, we process and store your data for the duration of our contractual relationship. In addition, we are subject to various retention and documentation requirements. The required periods, e.g. from tax law, can be up to 10 years. Moreover, special statutory provisions can make a longer retention period necessary, e.g. evidence in the context of statutory periods of limitation.

If data is no longer required for compliance with contractual or statutory requirements, they are regularly deleted, unless their limited further processing is necessary for the purposes listed above.