Last updated: 27.04.2022
Thank you for using the Trafi for Business (‘T4B’) mobile application, a digital multi-modal service that simplifies your commute, streamlines your work travels, and gives you access to shared mobility services like kick-scooters and bikes, public transportation, car-and ride-sharing, and more.
Trafi GmbH, with the registration number HRB 106876 B (Amtsgericht Charlottenburg), address of registered office Chausseestrasse 6, 10115 Berlin, Germany, is the data controller in respect of your personal data being used and processed in the T4B app for the purposes described in this policy. Please feel free to contact us by email at firstname.lastname@example.org.
If you have any questions or suggestions related to our services, please contact us by email at email@example.com.
When you access, connect to, download, create an account for, make purchases within or otherwise use our app – for instance, using the app to see public transport or rent a scooter – we may collect personal data about you. The personal data we collect will depend on the circumstances and the services you are using and requesting. See more details below:
We provide the option for you to register and create an account in the app, which requires you to enter your personal data. An account is necessary in order to use mobility services with the app. Some of your information comes directly from you when you create an account. Note that some information, such as your name, surname, and email address, could be provided directly from your Company when they set up a mobility budget allowance or benefit to you.
During the registration process, we collect the following information:
This information is required to establish, formulate, or modify the contractual relationship between you and Trafi. The data is also used to provide customer account functions and for the management of your account. You cannot use the mobility services in the Trafi app if you do not provide the data required during registration, as it is required to set up the contract.
Allowing Trafi to access location and route information of your device helps us to provide you with more accurate content, such as showing car sharing options nearby or public transport options that we consider to be the best based on your location. If you provide access to your location, GPS signals, device sensors, Wi-Fi access points, and tower IDs may be used to estimate your precise location.
You can either allow the app to access location services by manually entering your location (“Allow Once” or “Allow while using the App”) and/or manage your preferences through the location settings ( “More -> Legal – Privacy -> Location -> Opt-in/Opt-out” ) on your device. In the case of GPS tracking, however, we only collect the location determined by your device if the app is open and you tap the location icon. Your device will indicate if location tracking is active.
You can enable or disable this function at any time by going to your location settings (“More -> Legal – Privacy -> Location -> Opt-in/Opt-out” )
Note that if you disable the function we will not collect your location any further. However, in this case, we would show general information only and you won’t be able to request services, as we need to process your location for the purpose of suggesting available services near you. Therefore the main mobility functionalities of this device cannot be provided without tracking your location.
Driver’s license and ID or passport
A valid driver’s license and a valid ID card/passport are required for use of some mobility services available in the Trafi app, e.g. the car-sharing service or scooters. These are used to verify your right to drive a vehicle and identity. Our app allows you to perform a validation of your driver’s license and ID/passport card. During this procedure, we will collect and process pictures of your driver’s license and ID card taken by you, as well as a photograph of your face and/or video and biometric data for the purpose of checking your driving license and ID card. This enables us to verify that the user is the true owner of the identity document and that there are no signs of fraudulent activities. We use the service provider Onfido for the entire automated validation process.
In order to carry out the check on the driver’s license, ID or passport, the following data is collected:
Note that if you do not share this information, we will not be able to check your driver’s license, ID and passport, which will subsequently preclude your use of certain vehicles and services that require verification. This information is required for performance of the contract and for steps prior to entering into the contract between you and the mobility service provider that requires such validation.
Therefore, as soon as the documents are shared by you, Onfido will compare your facial images of the driver’s license, ID or Passport and check against other data sources, such as the facial photograph and/or video you provide to understand whether two documents are likely to be a match.
Additionally, Onfido could also check whether those facial images show signs of fraud – for example, by comparing a person’s numerical biometric data to those of known masks.
If Onfido is able to verify the identity of a user and the user is able to pass all requested checks, we then continue with their onboarding process and we will validate the name, surname, and birth day you provided to us. However, if they’re unable to verify the identity of a user or the user isn’t able to pass all requested checks, they might not allow you to use the app, some of its services, and/or conduct additional checks before continuing with the onboarding process.
Mobility Service Providers
Trafi will then transmit the data required to form and process the contract to your selected mobility provider, such as:
To book and buy a transport ticket, additional information might be shared, such as:
This data is transmitted for the purpose of forming and processing the contract. Moreover, this data is also needed for legal obligations and invoicing purposes.
Your contractual relationship with mobility providers
Each mobility service provider requires Trafi to transfer certain types of personal data for conducting your trip with them and therefore, they decide which data is needed.
Moreover, each provider defines how they will process and store your personal data once sent by Trafi on your request to book a trip. Therefore, the mobility providers are the data controllers of the data they receive. To increase awareness of the provider we embedded each mobility provider’s name and logo into our app, including their contact details and FAQ.
At Trafi, we have access to the budget that your company sets up for you so we can display it in the app and you can see it and use it.
That budget can be updated or disabled any time at the sole discretion of your company based on your benefits schedule and policy updates, contractual changes and/or other relevant legal basis existing between you and your company.
Your company is the data controller of your budget information. Therefore, please contact your company directly if you have any particular question with regards to your budget amount.
As soon as you have a budget allocated by your company, you can use your budget in two different ways as described below.
Using Mobility budget in Trafi for Business App
Using Mobility Budget outside the app
If you want to use mobility services in Switzerland which are outside the T4b app, you can opt to use a virtual card to spend the Mobility budget that your company allocated to you. This will enable you to access a variety of scooters, e-bikes, and carsharing, among other transports, which are not integrated into our app yet. Note that this is an optional service and your personal data will be processed as defined here only if you have applied for a virtual card.
Upon your request and if this option was agreed with your company, we will be happy to add you as a card user of the virtual card. For that, we will request your personal data such as your birthday date, nationality, and name which enables the bank we work with, HBL Bank, to validate your identity and comply with other applicable bank laws or relevant industry standards.
As soon as the bank checks your identity, the bank will issue a virtual card for you and you will be able to start payments outside the app with the budget allocated by your company. To protect your personal data, in particular your cardholder data like your PAN, CVV or card expiration date, we will display your cardholder details upon your request but Trafi will have no or very limited (e.g. masked PAN) access rights to these data elements. Additionally, we are compromised to implement state of art technical and organizational security measures to protect them against unauthorized access or abuses.
Notifications needed for service-related purposes legal and security reasons
Notifications on generic marketing, offerings, and services
We may also contact you via the app, email or other contact to notify you about our generic offers, promotions and services related to the T4B app that you use. We will not send any targets or personalize marketing, but rather generic messages about our services to all users.
We will contact you on our legitimate interest but note that you can opt-out from receiving these notifications at any time in your App Notifications Settings (“More -> Legal -> Trafi”) or in the body of our marketing email “email->unsubscribe”.
Notifications about your account and your trips
We may also contact you directly about information specifically relevant to you and to your trip, e.g. to inform you about the status of a trip or to inform you that a car you requested is arriving, amongst others.
We will contact you in our and your legitimate interest, but note that you can opt-out from receiving these notifications at any time in your App Notifications Settings (“More -> Settings -> Notifications”).
Legal obligations and rights
We may process personal data to comply with applicable laws and regulations, court requests or court ruling as well as to dispute resolution cases.
Cookies and similar technologies
Cookies and similar technologies, such as Software Development Kits (SDKs) and Local Storage such as Local Shared Objects (LSOs) are small text files that are stored on web browsers or devices by websites, apps, online media or companies. Trafi uses technologies for the purpose of exchanging information with service providers, authentication and remembering user preferences and settings.
|Strictly Necessary |
SDKs are functions that operate on the mobile app context. Trafi, the app developer, installs pieces of SDKs from our service providers in the apps, e.g. from our Mobility Service Providers, and thereby allows the service provider to collect certain information about the user interaction with the app and the user device.
|Exchanging information with service providers||Trafi and Mobility Service Providers|
LSOs are a piece of data, a token, that is stored on your device so we can recognize you when you open the app.
Authentication (login in the app) and remembering user preferences and settings.It includes, for instance, recent ticket purchase, public transport search and recent points of search.
|Trafi, Google(Android) and Apple (iOS) |
Android phones use EncryptedSharedPreferences encrypted with AES-256 encryption algorithm.iOS phones use NSUserDefaults.
At Trafi we only use essential or strictly necessary cookies and technologies. We do not advertise to or target you.
This means that without the SDKs, you would not be able to access the services of the app. Moreover, the LSOs technology enables the app to recall user preferences, e.g. the user may not need to re-enter information previously provided in the app and during onboarding. It also allows security and authentication of the data. Therefore, it only aims to provide you with the necessary services and it cannot be disabled, unless you uninstall the app.
If you would like to uninstall our app, our cookies and technologies described in the table above will be deleted. If you have questions or you need our support uninstalling our app with please contact firstname.lastname@example.org.
Security and fraud prevention
We will collect some data about you or your device, which is technically necessary for us to provide you with the functions of the app and to ensure its the security, such as:
In Trafi’s legitimate interest of evaluating fraud suspicious or identifying fraud patterns to prevent fraud abuses (such as financial fraud) we may use the following personal data:
You might be manually or automatically blocked from the app if fraud is considered suspicious based on defined fraud conditions or patterns.
Analytics with pseudonymized data, research and statistics
We will also process personal data for the purpose of analytics. This data, which relates to your use of T4B, may include pseudonymised data such as:
Example:Real ID: 62be375c-65c1-11eb-9a67-93a3de9dd4c8
Value Created: 12:00AM
The use of these techniques allows Trafi to analyze data for its legitimate business interest to ensure the quality of the technical features and the improvement of the app while maintaining a level of adequate data protection.
First of all, the data is pseudonymised and then it is kept separately from the data source which directly identifies you. Secondly, by masking or rounding direct identifiers to the app user, which are not necessary for analytics, thus adhering to personal data minimisation and purpose limitation principles. Thirdly, Trafi uses the data for a strict purpose of improving the product so the technical functionalities of the app will work better and efficiently for the user. Analyzed data is not in any case used for direct advertisement or retargeting or reselling data, nor for any other invasive or excessive purpose rather than the improvement of the tech features.
We provide our users with the to opt-out option at any time by going to Analytics Settings ( “More -> Legal – Privacy -> Analytics -> Opt-out” )
After 62 days, the raw data extracted is permanently deleted and we keep anonymized statistical data only (which is no longer personal data) for statistical purposes.
You can provide your feedback directly in our app on a voluntary basis by actively pressing the “Leave feedback” button and providing your comments. Note that no direct or indirect identifiers are automatically associated with the comment unless you provide personal information in the comment itself.
In order to grow the trustworthiness of the T4B app, we enable you to leave feedback on the ride experience. This is a voluntary action based on the user’s active action. In this context, we will process:
If you want to share your identity in order to get support from the Trafi Customer Support Team, you need to provide additional consent by ticking the box “I want to share more details with the Trafi Customer Support Team.” To enable Trafi understanding the context, more details will be requested, such as:
Thumbs-up or thumbs-down feedback
Qualitative feedback on route search results provides Trafi with actionable points that allow us to improve the routing function in our product. If you would like to, you can voluntarily provide feedback on routing, for which we will process:
Net Promoter Score (NSP) feedback:
We also enable you to leave your feedback about your overall experience with the app. This is a voluntary action based on user active action. We will process:
The questions that will be asked are:
If you want to use the T4B app you must be at least 18 years of age.
Other mobility service providers, payment providers and identity verification providers may also check your personal information to validate if your age complies with their internal age requirements and policies.
Personal data may be disclosed to other entities, such as your company or law enforcement agencies whenever needed and/or required by contract or law; it may also be disclosed to our contracted service providers for processing in accordance with the purposes for which it was originally provided, e.g. to provide offered services, for technical support and to other data controllers. Moreover, data processed in other countries may be subject to foreign laws and accessible to the governments, courts, law enforcement authorities, and regulatory authorities of those countries. If your personal data is transferred to third countries, however, we will take appropriate measures to adequately transfer your data. Unless an adequacy finding has been made by the EU Commission for the recipient country, the transfer of your data to a third country is protected by the fact that EU standard contractual clauses have been concluded with the recipient or other legal mechanisms is in place to guarantee the adequate transfer and that data protection and security measures exist.
Your company may request that we share some of your personal information with them. Companies normally request data for invoicing and reporting purposes in order to manage the budget benefit and/or allowance that they are providing to you.
Data for invoicing purposes is provided in an aggregated manner, e.g. total price of the employees during a specific month, to guarantee the principle of personal data minimization and the higher protection of the employee’s personal data. Reporting on invoicing is necessary for your company to comply with its legal obligations, as well as for accounting and payroll legitimate interests.
Moreover, your company may request data for reporting purposes.
Moreover, your company may request data for reporting and/or analytics purposes.
Analytics Report might include:
Employee Accounting Report (Business, Commute, and/or Leisure trips) provides employee level summary for the different trip purposes and calculates the amount that is subject to income taxes on a monthly basis which could be required by the applicable laws or other requirements. This data may include:
Trip Report provides details on your booking which are necessary for tax deductions or other relevant grounds defined by your Company. It could include:
Under the applicable tax and accounting laws or other, the companies may need to provide your data to the relevant authorities and document your data for accounting, payroll and payment purposes or other relevant legal basis. Note that companies have tax deductions based on your trip type, either business, commute or leisure. Note that no individual trip information is provided to your company besides the information needed to comply with their legal requirements.
Note that your company controls the data that they request us, and they are considered the data controller. Please contact your HR Manager or Company if you want to know more on what data your company sees and what for it is using it.
We may share or disclose your personal data if requested by relevant government and law enforcement agencies, courts and/or when it is required by law.
Under data processing agreements, we contractually define that our contracted service providers must use personal data solely for the agreed purposes and not disclose your personal data to other parties unless this is required and/or allowed by law.
If our processors are located outside the European Economic Area (EEA) or in a country that the European Commission has not recognized as a country providing an adequate level of data protection, we will conduct Data Transfer Impact Assessments and have in place EC Standard Contractual Clauses in order to protect your personal data.
We use third-party processors to fulfill the following categories of services:
We will only keep your personal data for as long as we consider necessary for the fulfillment of our purposes, such as resolving disputes, enforcement of agreements, business and legitimate interests and/or if it is legally required to do so. After that period, we will delete your data or, in some cases, anonymize your personal data.
We understand that you may at times need further information from us regarding your personal data and how it is processed or that you may wish to update or correct the personal data you have provided us with. In light hereof, you have inter alia, when appropriate and in the limits of the applicable data protection laws, the following rights:
• Right to access your personal data: you have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and information.
• Right to data portability: you have the right to request that we provide you with your personal data in a machine-readable format as well as the right to request its transmission to another data controller.
• Right to rectification of personal data: if you find that personal data which we process about you is inaccurate, you have the right to have us correct such personal data.
• Right to erasure of personal data (right to be forgotten): under certain circumstances, such as if your personal data has been unlawfully processed or you have withdrawn your consent (if the processing of your personal data is based on consent), you have the right to request and obtain erasure of your personal data from us.
• Right to restriction of processing: under certain circumstances, such as if you question the accuracy of your personal data or you have objected to our legitimate purpose to process your personal data, you have the right to request that we restrict the processing of your personal data until a solution has been found.
• Right to object to processing: under certain circumstances, such as if you question the legitimate interest to process your personal data, you have the right to object, on grounds relating to your particular situation, to such processing. Moreover, with regard to our optional activities, for instance our personalized information, you have the right to object at any time and free of charge. You can object at any time to be subject to data analytics and to share your location (“More -> Legal -> Privacy”) and from receiving push notifications (“More -> Settings-> Notification”)
• Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint regarding our processing of your personal data with your supervisory authority.
If our processing of your personal data is based on your consent, you have the right to withdraw such consent at any time (this will however not affect the processing based on your consent before its withdrawal) by contacting us or by updating the settings in our services (where applicable).
You can also contact our support team and request to export your personal data or to exercise any of your rights by contacting email@example.com.
You can also exercise some of your rights directly in your app, at any time, by going to “More” within your app. Checking “My account”, “My trips”, “My history” and “My payment”.
If you would like to contact the data privacy team and the data protection officer directly, please send an email to firstname.lastname@example.org
Please contact your company or the MSP directly.