Last update: 02.09.2021
Thank you for using the Trafi for Business (‘T4B’) mobile application, a digital multi-modal service that simplifies your commute, streamlines your work travels and gains you access to shared mobility services like kick-scooters and bikes, public transportation, car- and ride-sharing, and more.
Trafi GmbH, with the registration number HRB 106876 B (Amtsgericht Charlottenburg), address of registered office Chausseestrasse 6, 10115 Berlin, Germany, is the data controller in respect of your personal data being used and processed in the T4B app for the purposes described in this policy. Please feel free to contact us by email at firstname.lastname@example.org.
If you have any questions or suggestions related to our services, please contact us by email at email@example.com.
When you access, connect to, download, create an account for, make purchases within or otherwise use our app, for instance, using the app to see public transport or rent a scooter, we may collect personal data about you. The personal data we collect will depend on the circumstances and the services you are using and requesting. See below what services we have:
We provide the option for you to register and create an account in the app, which requires you to enter your personal data. An account is necessary in order to use mobility services through the app. Some of your information comes directly from you when you create an account. Note that Some information, such as your name, surname and email address could be provided directly from your Company, when they set up a mobility budget allowance or benefit to you.
During the registration process, we collect the following information:
This information is required to establish, formulate, or modify the contractual relationship between you andTrafi. The data is also used to provide customer account functions and for management of your account. You cannot use the mobility services in the Trafi app if you do not provide the data required during registration as it is required to set up the contract.
Allowing Trafi to access location and route information of your device helps us to provide you with more accurate content, such as showing car sharing options nearby or public transport options that we consider the best based on your location. If you provide access to your location, GPS signals, device sensors, Wi-Fi access points, and tower ids may be used to estimate your precise location.
You can either allow the app to access location services by manually entering your location and consent to share it (“Allow Once” or “Allow while using the App”) and/or through the location settings ( “More -> Legal – Privacy -> Location -> Opt-in” ) on your device. In the case of GPS tracking, however, we only collect the location determined by your device if the app is open and you tap the location icon. Your device will indicate if location tracking is active.
You can enable or disable this function at any time by going to your location settings (“More -> Legal – Privacy -> Location -> Opt-in/Opt-out” )
Note that If you disable the function we will not collect your location any further. However, in this case, we would show general information only and you won’t be able to request services, as we need to process your location for the purpose of suggesting available services near you. Therefore certain features of this device cannot be provided without tracking your location.
Then, Trafi will transmit the data required to form and process the contract to your selected mobility provider, such as:
Note that when applicable, some mobility services, they may also request:
Note that the usage of specific mobility sharing services requires a valid identity in order to associate service usage with specific individuals. Such identity-to-service association is needed for achieving high-standard QoS (Quality-of-Service), for preventing vandalism cases, and as part of KYC/CTF compliance activities (it’s described in the section above titled driver’ s license and ID or passport).
To book and buy a transport ticket, additional information might be shared, such as:
This data is transmitted for the purpose of forming and processing the contract. Moreover, this data is also needed for legal obligations and invoicing purposes.
Your contractual relationship with mobility providers
Each mobility service provider requires Trafi to transfer certain types of personal data for conducting your trip with them and therefore, they decide which data is needed.
Moreover, each provider defines how they will process and store your personal data once sent by Trafi on your request to book a trip. Therefore, the mobility providers are the data controllers of the data they receive. As such, we cannot assume responsibility or be liable for how they process your data once you enter into a contract with them. To increase awareness of the provider we embedded each mobility provider’s name and logo into our app, including their contact details and FAQ.
When you use the mobility services through the T4B app, your company pays for the trips. This means that your company card details are associated with your account and we will not process your card-related personal data.
We have access to the budget that your company sets up for you on a monthly basis so we can display it in the app and you can see it and use it.
That budget can be updated or disabled any time at the sole discretion of your company based on your benefits schedule and policy updates, contractual changes and/or other relevant legal basis existing between you and your company.
Your company is the data controller of your budget information. Therefore, please contact your company directly if you have any particular question with regards to your budget.
Notifications needed for service-related, legal and security reasons
Notifications with generic offerings and services
We may also contact you via the app, email or other contact to notify you about our generic offers, promotions and services related to the T4B app that you use. We will not send any targets or personalize marketing, but rather generic messages about our services to all users. We will contact you on our legitimate interest but note that you can opt-out from receiving these notifications at any time in your App Notifications Settings (“More -> Legal -> Trafi”) or in the body of our marketing email “email->unsubscribe”
Notifications about your account and your trips
We may also contact you directly about information specifically relevant to you and to your trip, e.g. to inform you about the status of a trip or to inform you that a car you requested is arriving, amongst others.
We will contact you in our and your legitimate interest, but note that you can opt-out from receiving these notifications at any time in your App Notifications Settings (“More -> Settings -> Notifications”).
Legal obligations and rights
We may process personal data to comply with applicable laws and regulations, court requests or court ruling as well as to dispute resolution cases.
Cookies and similar technologies
Cookies and similar technologies, such as Software Development Kits (SDKs) and Local Storage such as Local Shared Objects (LSOs) are small text files that are stored on web browsers or devices by websites, apps, online media or companies. Trafi uses technologies for the purpose of exchanging information with service providers, authentication and remembering user preferences and settings.
|Strictly Necessary ||SDKs are functions that operate on the mobile app context. Trafi, the app developer, installs pieces of SDKs from our service providers in the apps, e.g. from our Mobility Service Providers, and thereby allows the service provider to collect certain information about the user interaction with the app and the user device.||Exchanging information with service providers||Trafi and Mobility Service Providers|
|Strictly Necessary||LSOs are a piece of data, a token, that is stored on your device so we can recognize you when you open the app.||Authentication (login in the app) and remembering user preferences and settings.It includes, for instance, recent ticket purchase, public transport search and recent points of search.||Trafi, Google(Android) and Apple (iOS) |
Android phones use EncryptedSharedPreferences encrypted with AES-256 encryption algorithm.iOS phones use NSUserDefaults.
At Trafi we only use essential or strictly necessary cookies and technologies. We do not advertise to or target you.
This means that without the SDKs, you would not be able to access the services of the app. Moreover, the LSOs technology enables the app to recall user preferences, e.g. the user may not need to re-enter information previously provided in the app and during onboarding. It also allows security and authentication of the data. Therefore, it only aims to provide you with the necessary services and it cannot be disabled, unless you uninstall the app.
If you would like to uninstall our app, our cookies and technologies described in the table above will be deleted. If you have questions or you need our support uninstalling our app with please contact firstname.lastname@example.org
Security and fraud prevention
We will collect some data about you or your device, which is technically necessary for us to provide you with the functions of the app and to ensure its the security, such as
This information is processed to enable you to use our app as contractually defined in the app terms and conditions. Additionally, we require automatically collected data to provide a functioning app and ensure its security such as by adapting the app to the requirements of your device, by monitoring the system (e.g. logging, metrics and alerting), debugging and error monitoring. This information is also processed to allow us to pursue our legitimate interest in optimising the Trafi app and ensuring the security of both the app and our IT systems.
We may use personal data such as IP addresses, IDs (e.g. order id or event id), location information (e.g. booking start or end information), time information (e.g. timestamps), trips (e.g. ride type, vehicle name, search terms (e.g. search for an address or a place), or cost information (e.g. amount) to identify fraud patterns in order to prevent fraud abuses such as financial fraud and to ensure the security of the personal data as a legitimate interest of Trafi.
After 186 days, the raw data used for fraud prevention is deleted.
Analytics with pseudonymised data, research and statistics
We will also process personal data for the purpose of analytics. This data, which relates to your use of T4B, may include pseudonymised data such as:
Real ID: 62be375c-65c1-11eb-9a67-93a3de9dd4c8
Value Created: 12:00AM
The use of these techniques allows Trafi to analyse data for its legitimate business interest to ensure the quality of the technical features and the improvement of the app while maintaining a level of adequate data protection.
First of all, the data is pseudonymised and then it is kept separately from the data source which directly identifies you. Secondly, by masking or rounding direct identifiers to the app user, which are not necessary for analytics, thus adhering to personal data minimisation and purpose limitation principles. Thirdly, Trafi uses the data for a strict purpose of improving the product so the technical functionalities of the app will work better and efficiently for the user. Analyzed data is not in any case used for direct advertisement or retargeting or reselling data, nor for any other invasive or excessive purpose rather than the improvement of the tech features.
We provide our users with the to opt-out option at any time by go to Analytics Settings ( “More -> Legal – Privacy -> Analytics -> Opt-out” )
After 62 days, the raw data extracted is permanently deleted and we keep anonymized statistical data only (which is no longer personal data) for statistical purposes.
You can provide your feedback directly in our app on a voluntary basis by actively pressing the “Leave feedback” button and providing your comments. Note that no direct or indirect identifiers are automatically associated with the comment unless you provide personal information in the comment itself.
In order to grow trustworthiness of the T4B app, we enable you to leave feedback on the ride experience. This is a voluntary action based on the user’s active action. In this context, we will process:
If you want to share your identity in order to get support from the Trafi Customer Support Team, you need to provide additional consent by ticking the box “I want to share more details with the Trafi Customer Support Team.” To enable Trafi understanding the context, more details will be requested, such as:
Qualitative feedback on route search results provides Trafi with actionable points that allow us to improve the routing function in our product. If you would like to, you can voluntarily provide feedback on routing, for which we will process:
We also enable you to leave your feedback about your overall experience with the app. This is a voluntary action based on user active action. We will process:
If you want to use the T4B app you must be at least 16 years of age.
Other mobility service providers, payment providers and identity verification providers may also check your personal information to validate if your age complies with their internal age requirements and policies.
Personal data may be disclosed to other entities, such as your company or law enforcement agencies whenever needed and/or required by contract or law; it may also be disclosed to our contracted service providers for processing in accordance with the purposes for which it was originally provided, e.g. to provide offered services, for technical support and to other data controllers.
Moreover, data processed in other countries may be subject to foreign laws and accessible to the governments, courts, law enforcement authorities, and regulatory authorities of those countries. If your personal data is transferred to third countries, however, we will take appropriate measures to adequately transfer your data. Unless an adequacy finding has been made by the EU Commission for the recipient country, the transfer of your data to a third country is protected by the fact that EU standard contractual clauses have been concluded with the recipient or other legal mechanisms is in place to guarantee the adequate transfer and that data protection and security measures exist.
Your company may request that we share some of your personal information with them. Companies normally request data for invoicing and reporting purposes in order to manage the budget benefit and/or allowance that they are providing to you.
Data for invoicing purposes is provided in an aggregated manner, e.g. total price of the employees during a specific month, to guarantee the principle of personal data minimization and the higher protection of the employee’s personal data. Reporting on invoicing is necessary for your company to comply with its legal obligations, as well as for accounting and payroll legitimate interests.
Moreover, your company may request data for reporting purposes.
Account Report (Business, Commute and Leisure trips) provides employee level summary for the different trip purposes and calculates the amount that is subject to income taxes on a monthly basis which could be required by the applicable laws or applicable legal basis. The data includes:
Detail Trip Report provides details on your trip which are necessary for tax deductions or other relevant legal basis defined by your Company.
Detail Trip Report (Business and Commute) – the level of detail includes:
Under the applicable tax and accounting laws or other,, the companies may need to provide your data to the relevant authorities and document your data for accounting, payroll and payment purposes or other relevant legal basis,. Note that companies have tax deductions based on your trip type, either business, commute or leisure. Note that no individual trip information is provided to your company besides the information needed to comply with their legal requirements.
Note that your company controls the data that they request us, and they are considered the data controller. Please contact your HR Manager or Company if you want to know more on what data your company sees and what for it is using it.
We may share or disclose your personal data if requested by relevant government and law enforcement agencies and/or courts and/or required by law.
Under data processing agreements, we contractually define that our contracted service providers must use personal data solely for the agreed purposes and not to disclose your personal data to other parties, unless this is required and/or allowed by law.
Our Processors are the following service providers:
|UAB Intelligent Communications||Operation of our central IT system|
|Bugsnag||Mobile app error monitoring tool|
|Karhoo||Taxi mobility services integration system|
|AWS Cloud Provider||Cloud service for hosting MaaS backend services|
|Onfido||Driving licence and ID card validation|
|AWS Cognito||Mobile number verification for authentication purposes|
|Mparticle||Consent and frontend management system|
|Google Firebase Cloud Messaging||Firebase Cloud Messaging allows us to message users with specific, context-related information on our services and encourage use of the app. Information on the message’s subject, the type of message, and the time of sending are processed.|
|Google Firebase Remote Configuration||Remote Config uses Firebase installation IDs to select configuration values to return to end-user devices, for instance for A/B testing purposes.|
|Google Firebase Dynamic Links||Dynamic Links uses device specs and IP addresses on iOS to open newly-installed apps to a specific page or context.|
|Google BigQuery Cloud Provider||Cloud Service for hosting analytics, statistics, security and fraud prevention purposes (both frontend and backend services)|
|Google Looker||Database used for analytics and statistics purposes|
|Datadog||System monitoring (logging, metrics and alerting) and debugging|
|Google Maps||Google Maps makes it possible to quickly and accurately determine your location and show both available mobility services and the routes that you request. Your IP address and location must be stored to use Google Maps functions. This information is typically sent to and stored on Google servers in the USA.|
We will only keep your personal data for as long as we consider necessary for the fulfilment of our purposes, such as resolving disputes, enforcement of agreements, business and legitimate interests and/or if it is legally required to do so. After that period, we will delete your data or, in some cases, anonymise your personal data. The following time limits for storage and erasure generally apply:
|Data category||Third Party/System||Time limit for storage|
|Product Security and Management (including Data Authentication, Remote Configuration, Dynamic Links And Cloud Messaging)||AWS Cognito|
|Data is erased after 3,5 years (from the collection of the data)|
|Data Logs and Monitoring||DataDog||Data is erased after 15 days (from the collection of the data)|
|Data Metrics and Monitoring||DataDog||Data is erased after 90 days (from the collection of the data)|
|MSPs Data Logs||Google BigQuery||Data is erased after 30 days (from the collection of the data)|
|Data Backups||AWS Cloud||Data is erased after 30 days (from the collection of the data)|
|Data for validation of driver’s licence, ID and Passport card||Onfido||Sensitive Data, such as picture, video and biometric identifiers, is erased within 24 hours (from the collection of the data). The remaining information, such as driver name, is erased in a maximum period of 6 months (from the collection of the data)|
Analytics and Feedback
|Google BigQuery||Data is erased after 62 days (from the collection of the data). Anonymised statistics and anonymised analytics are kept.|
|Security and fraud prevention purposes||Google Cloud||Data is erased after 186 days (from the collection of the data). Anonymised statistics are kept.|
|Customer account data and Trip history(backend)||AWS Cloud||Storage while customer account is active and it will be erasure from the app after 3 years from the last time you logged in in the app, (time starts at end of respective calendar year)|
|Customer account data and Trip history (frontend)||Mparticle||Storage while customer account is active and it will be erasure from the app after 2 years from the data collection|
|Customer service queries and reporting an issue||Google BigQuery||Storage while customer account is active and it will be erasure from the app after 3 years from the last time you logged in in the app, (time starts at end of respective calendar year)|
|Employment, General Company Records, HR Salary and Benefits Records and Tax and Accounting Records||AWS Cloud||Data is erased after 10 years (close of the calendar year in which the document was created)|
We understand that you may at times need further information from us regarding your personal data and how it is processed or that you may wish to update or correct the personal data you have provided us with. In light hereof, you have inter alia, when appropriate and in the limits of the applicable data protection laws, the following rights:
• Right to access your personal data: you have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and information.
• Right to data portability: you have the right to request that we provide you with your personal data in a machine-readable format as well as the right to request its transmission to another data controller.
• Right to rectification of personal data: if you find that personal data which we process about you is inaccurate, you have the right to have us correct such personal data.
• Right to erasure of personal data (right to be forgotten): under certain circumstances, such as if your personal data has been unlawfully processed or you have withdrawn your consent (if the processing of your personal data is based on consent), you have the right to request and obtain erasure of your personal data from us.
• Right to restriction of processing: under certain circumstances, such as if you question the accuracy of your personal data or you have objected to our legitimate purpose to process your personal data, you have the right to request that we restrict the processing of your personal data until a solution has been found.
• Right to object to processing: under certain circumstances, such as if you question the legitimate interest to process your personal data, you have the right to object, on grounds relating to your particular situation, to such processing. Moreover, with regard to our optional activities, for instance our personalized information, you have the right to object at any time and free of charge. You can object at any time to be subject to data analytics and to share your location (“More -> Legal -> Privacy”) and from receiving push notifications (“More -> Settings-> Notification”)
• Right to lodge a complaint with a supervisory authority:
you have the right to lodge a complaint regarding our processing of your personal data with your supervisory authority.
If our processing of your personal data is based on your consent, you have the right to withdraw such consent at any time (this will however not affect the processing based on your consent before its withdrawal) by contacting us or by updating the settings in our services (where applicable).
You can also contact our support team and request to export your personal data or to exercise any of your rights by contacting email@example.com.
If you would like to contact the data privacy team and the data protection officer directly, please send an email to firstname.lastname@example.org
You can also exercise some of your rights directly in your app, at any time, by:
Going to your “More”
Checking “My account”, “My trips”, “My history” and “My payment”
If you want to exercise your rights or contact a mobility provider about a service with them, please contact their customer support team.
Please contact your company directly.