In this document (the “Privacy Policy”), we explain how we process personal data of our customers (“you”) when you use (a) CityBee mobile app (the “App”), (b) CityBee vehicles (the “Vehicle”), (c) CityBee website https://www.citybee.lv (the “Website”) and your online self-service account, and (d) when you communicate with us by phone, e-mail, social media and otherwise. 

We process your personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, hereinafter referred to as the GDPR), other applicable legal acts in the field of personal data protection as well as this Privacy Policy.

In this Privacy Policy, we explain the most important concepts about protection of your personal data: the purposes and grounds on which we process your data, sources from which we receive the data and persons with whom we have the right to share them, our duties with regard to the processing of your data, your rights and how they are implemented. 

Take your time to carefully read this Privacy Policy and, if you have any questions, please feel free to contact us. 

If you use the Website and/or the App, it means you have read this Privacy Policy and understood the purposes, methods and procedures for processing of your personal data specified herein. If you do not agree with the Privacy Policy, do not use the Website or the App.

We may combine personal data provided by you when using the App and/or the Website with data we obtain from other public and available sources (e.g. we may combine personal data provided by you with data obtained from the use of Website cookies or data lawfully received from third parties).

The Privacy Policy is a living, constantly changing document, therefore, we can improve, modify, update it. You will be additionally informed about critical policy changes, but we encourage reviewing this Privacy Policy from time to time. 

 

 

The following terms are defined as follows in this Privacy Policy: 

 

 

 

 

 

 

 

 

 

Other terms shall have the meanings assigned to them and defined in the GDPR, the Terms and the Services Agreement.

In case of contradictions between this Privacy Policy and the Terms, provisions of this Privacy Policy shall prevail.

We process your data specified in this Privacy Policy on these legal grounds:

 

 

 

In order to start using the App, you must create an Account and provide us with the data specified below.

 

If you wish to rent vehicles, in order to verify your identity and your right to drive, we will need the following additional data about you: your facial image (selfie), photo of the first side of the driving license and the driving license data. 

 

Before we start providing the Services, we must check whether the image of your face in the selfie made with the App coincides with the photo on the driving license and make sure that your driving license is valid. 

 

If for your identity and driving license verification purposes you do not agree to provide your facial image (selfie) and driving license details through the App, you may contact us, and we will offer you an acceptable alternative.

 

We recognise you as our customer according to some data you presented during registration and creation of the Account, when, for example, you want to update or change your data, contact us for presentation of certain personal information, exercise of rights in connection with personal data processing, etc. We also use your mobile phone number, e-mail and other Account details when we need to confirm your registration, verify your identity, help you and in similar cases.

 

When you use the App and the Services, we collect and process the following data:

 

There is an electronic system installed in each piece of Vehicle that records and transmits to us information on the location of the Vehicle, distance covered by the Vehicle, speed and other data relating to the Vehicle. We need these data in order to provide Services to you and to perform the Services Agreement otherwise.

 

If during use of the Vehicle you connect your device to the Vehicle devices (e.g. navigation, multimedia systems), your device data, e.g. the given name, contacts stored on the device and Bluetooth ID, shall be stored in the Vehicle unless you delete them following the instructions of the Vehicle manufacturer. 

When you use the Vehicle and the Services, we have the right to periodically check the validity of your driving license. If we notice that your driving license is about to expire, we may contact you (by e-mail, SMS, push notifications, other notifications in the App) and inform you about the expiry of the driving license.

We also use your contact data (e-mail, phone number, address of the place of residence) to communicate with you, including answers to your inquiries, requests, providing information relevant to you about use of our Services, changes in the Services Agreement, Terms, pricelist and/or the Privacy Policy, to contact you if you forgot your things in the Vehicle or we have identified any problems in connection with Services provided, etc. 

We have the right to make sure that you have been informed of the latest changes to the Services Agreement and/or the Terms and/or this Privacy Policy and to collect evidence that this type of notification has been provided and read (opened) by you. When we send you notifications of this type, we collect the above-indicated information about the notifications sent to you.

 

We process your personal data in order to be able to provide general and personal offers (including offers from our partners) and other information. We can send notifications, offers and information to you in several ways: by e-mail, SMS, InApp notifications, push notifications in the App. In order to choose notifications and offers to be sent to you, to know you and your needs better, to improve your experience while using our Services, to automate use of marketing tools for the most effective customer engagement, to expand the range of Services we offer and to constantly improve them, to give you relevant, interesting and useful offers and other information about our Services, we analyse data related to customers’ behaviour on the App, patterns of use of our Services and/or other signs, and will use such data to group customers. For these purposes, we use advanced data analytics tools (such as CleverTap), which are based on automated data analysis. 

For the above-indicated purposes, we process the following data of yours:

 

The actions described above do not have any legal or similarly significant impact on you, but they will allow us to better understand your needs, interests and hobbies, create and offer you a wider range of Services that meet your needs better, install the App updates you anticipate, provide a better-quality experience of using our Services.

You can easily unsubscribe from notifications with offers and information in the App, see also Chapter VII of the Privacy Policy. you can easily refuse the App push notifications in the App, which are enabled for all customers be default, see also Chapter VII of the Privacy Policy. 

 

In order to improve the efficiency of the management of our various marketing tools, we use Apps Flyer and other advanced tools to help us collect your data related to your behaviour in the App and/or interest in our ads displayed on websites of third parties (Apps Flyer and similar partner platforms), our offers or other our marketing tools. For this purpose, we may analyse the data collected and evaluate the effectiveness, efficiency and payback of our marketing decisions (e.g. evaluate channels where ads are displayed, their number, etc.) and make better marketing decisions for the sake of more efficient re-attracting of customers. 

Data are obtained in the App with the help of the integrated data collection technology. Data are generated when you use the App and/or Apps Flyer or apps and websites of other partner platforms of Facebook and Google. 

For analysis and advertising purposes, we also use third party tools such as Google FireBase, Google Ads, Google Analytics, Facebook Ads Manager, in order to collect aggregated and anonymised information on how individuals use the App, to understand how we can improve it and provide up-to-date non-personalized advertising about our services. 

The listed means and tools will help us better understand your needs, interests and hobbies, which in its own turn will allow us to create and offer you a wider range of Services that meet your needs better, install the App updates you anticipate, provide a better-quality experience when you use the App and our Services.

For the above-indicated purposes, we collect and process the following data of yours:

 

For more information on how Apps Flyer tool works and what data it collects, go to Apps Flyer privacy policy: https://www.appsflyer.com/services-privacy-policy/. 

you can read more information on how Google collects and uses these data in the Google privacy policy: https://policies.google.com/privacy?hl=en. 

 

We administer our profiles and accounts on social networks:

https://www.facebook.com/CityBeeLatvia/,

https://www.instagram.com/citybeelatvia,

https://www.linkedin.com/company/citybee-car-sharing, etc.

If you are interested in our Services and follow our profiles on social media, we collect and process these data of yours (which we obtain directly from you (in the social media account), so that we can manage our social media accounts):

 

We can create and manage our fan pages or groups on the Facebook platform. Facebook and we are jointly responsible only for data processing of Facebook Insight (https://lv-lv.facebook.com/help/pages/insights) (Article 26(1) of the GDPR) and only to the extent these data are used to create “page insights” and only concerning steps from data collection from our fan page to their transfer to Facebook. As for any other data processing, we and Facebook are independent controllers. 

Data processing of our fan page visitors is intended for statistical assessment of the use of such page. All information obtained with Facebook tools is linked to Facebook Insight tool, which provides us with anonymised information about pages you visit and your activeness (e.g. at what time you and other visitors pay attention to videos, when you read longer notifications, when your top activeness on a social network is recorded). These data are used to improve the content placed on the fan page and your experience of using it and to select marketing tools. 

Please note that the Company’s fan page is integrated into the Facebook platform, therefore Facebook has all the possibilities to collect your other personal data, as well. Detailed information about the data processing activities of Facebook, the purposes and scope of data use related to the data provided by you can be found at: http://www.facebook.com/policy.php.

If you want to exercise your rights in connection with these data, it would be more effective for you to contact Facebook directly. If you still need help to exercise your rights, you can contact us in the ways provided in Chapter VII of the Privacy Policy.

 

In order to monitor, evaluate, analyse, improve and further the quality of Services provision, the App, offer new Services or new quality Services, increase the availability of Services, improve the security of use of the Services, improve user experience when using the Services, we analyse various statistical data.

 

The Company, as a socially responsible business entity, is implementing the mission to contribute to road safety, responsible and careful driving and a safe and healthy society. The methods and modules used to analyse data will enable us to predict, identify dangerous driving, identify drivers under the influence, which will allow to reduce accident statistics, prevent or reduce losses due to accidents, will contribute to responsible, safe and polite participation in traffic. 

We use automated data analysis tools based on the latest scientific achievements (including artificial intelligence) to conduct these data research, introduce and use data analysis and processing modules and methods. 

Data analysis actions, performed for the purposes described in this chapter, do not have any legal or comparable significant effect on you.

 

We process your personal data to identify potential threats of abuse of the Services, fraud or other illegal activities, to protect the App, the Website, information systems and data from unauthorized modifications, cyber-attacks, unauthorized access and other related risks, ensure the operation, integrity, security of the App and information systems. We register information about your and our actions in the App, in the Account, on the Website:

 

If we notice actions in your Account that we find suspicious, we may ask you to do certain actions (e.g. check your e-mail accounts, change PIN, etc.).

 

We process your personal data in order to implement our legal requirements and defence of legitimate interests (including fraud prevention), protect our property and interests and those of our customers and other persons, collect evidence of violations and prevent the abuse of our interests, those of our customers and other persons, abuse of the App, the Website, Vehicle, our Services, also to administer, manage and recover your debts and damages inflicted on us and our property. 

 

We have the right, to the extent permitted by applicable legal acts and in the light of our legitimate interests, to analyse and evaluate the above data and to make decisions based on them that may affect how we will provide Services to you (if you use our Services) and whether we will provide them. If we have reasonable doubts about your ability to pay for our Services or other reasonable doubts about data and information provided by you when you are registering in the App and/or use our Services, we will have the right, based on our legitimate interest, to request our service providers to provide or to access lawfully accessible data about you on our own (including your credit rating, etc.) and evaluate them for the purposes of prevention of fraud, other actions of bad faith, for assessing your solvency, for debt management and/or recovery. 

When you visit and browse our Website, for the purpose of collecting statistical data and improving the quality of Services and visitor experience, we process the following data:

 

Cookies are used on the Website. More information on cookies used on the Website can be found in our Cookie Policy.

We use the analytical service Google Analytics, which allows to capture and analyse statistical data on the use of the Website. More information about Google Analytics and information collected with its tools can be found at

https://support.google.com/analytics/answer/9019185?hl=en&ref_topic=2919631#zippy=%2Cin-this-article.

If you do not want Google Analytics tools to capture your browsing information, you can use Google Analytics opt-out browser add-on or change your cookie settings.

 

If you contact our customer service centre by phone and agree that your telephone call is recorded, we will record the information you provide, including personal data, so that we can properly examine your request and/or respond to your inquiry.

If you contact us in writing (by e-mail or otherwise), we will store the fact of you contacting us and the information provided, including personal data, so that we can properly examine your request and/or respond to your question, request or complaint. 

For the above-indicated customer service purposes, we will use the following data: 

 

 

In order to be able to ensure proper implementation of tax, accounting, other statutory obligations (i.e. correct issuance of accounting documents and their declaration to public authorities, implementation of anti-money laundering requirements, etc.), we process the following personal data of yours: 

 

 

If the Services Agreement is concluded with us by a business customer (company, institution, organisation) (hereinafter – Business Customer), we process personal data of representatives of such Business Customer, as indicated below.

We also process any other personal data referred to in paragraphs 3.1–3.9 of this Privacy Policy about employees or representatives of Business Customers, who use our App and Services.

 

Our Business Customers shall ensure and undertake that:

 

 

Representatives, employees of Business Customers have all rights of data subjects provided for in Chapter VII of this Privacy Policy.

In the event that Business Customers act as data controllers for their employees, representative and other agents, we are not responsible for such processing operations and the provisions of this Privacy Policy do not apply to such processing operations.

Business Customers acknowledge and understand that all actions taken by their employees and representatives or other persons that they perform or allow others to perform by downloading, installing, accessing, using our App, Account, Services and Vehicle, are legitimate and appropriate and assume liability for them.

We receive almost all of your personal data from you: when you download the App, create an Account, use the App, the Account, Services and in other cases, also as explained in more detail in Chapter III of this Privacy Policy. 

Data we receive from you indirectly under a legitimate basis (the list is non-exhaustive):

 

The Company has involved various service providers (e.g. providers of server hosting, data centres, cloud computing, support, IT, payment, identity verification, document validity verification, intermediation, payments, audit, accounting, legal, tax advisory services, administration of damages, debt collection, analytics, direct marketing, e-mail, SMS messaging, customer service, call centre and other services).

Data processors we use are usually located in the Member States of the European Union or store data entrusted to them by the Company in the European Union. Only a few carefully selected data processors (such as Google, Apps Flyer, CleverTap) process data outside the European Union. In addition, when we manage our social media accounts, we receive and provide data to social network platform operators (e.g. LinkedIn, Facebook, Google), which also operate outside the European Union, e.g. in the USA. We closely follow practices of data protection supervisory authorities and the guidelines on the transfer of data outside the European Union, and we diligently consider conditions, under which data are transferred and may be subsequently processed and stored after the transfer outside the European Union. To ensure an adequate level of security of data and to guarantee legitimate transfer of data, we conclude Standard Contractual Clauses approved by the European Commission for data transfer outside the European Economic Area (EEA) or follow other grounds and conditions set out in the GDPR.

We use cloud computing solutions (e.g. Microsoft Azure) for data processing. Servers / storage facilities for the cloud computing solutions used are located and operate in the Member States of the European Union. Microsoft Azure database data are stored in data centres located in the EEA Member States (see more at https://azure.microsoft.com/en-us/global-infrastructure/geographies/).

Data processors can process your personal data only according to our instructions. Besides, they must ensure security of your data in accordance with applicable legal acts and agreements concluded with us.

If necessary and legally justified, we also provide your data to service providers that are separate data controllers, also to competent authorities, institutions, organisations, also other data controllers who are entitled to receive information in accordance with applicable legal acts and/or our legitimate interests (Article 6(1)(b) of the GDPR, Article 6(1)(a) of the GDPR, Article 6(1)(c) of the GDPR, Article 6(1)(e) of the GDPR, Article 6(1)(f) of the GDPR) (the list is non-exhaustive):

 

With your consent, your data may be disclosed to persons you have indicated. 

Personal data specified in this Privacy Policy shall be stored and otherwise processed for no longer than the period specified in Chapter III of this Privacy Policy for each relevant data category and for no longer than necessary to achieve the purposes for which the data were collected.

In those cases when the data storage period is not indicated in this Privacy Policy, your data will be stored no longer than necessary for achievement of the purposes, for which the data were collected, or for a period set by legal acts.

After the end of your data processing and storage period set in this Privacy Policy, we destroy your data or anonymise them irreversibly and reliably as soon as possible, within a period reasonably necessary for performance of such an action.

If different processing or storage periods can be applied to the same data category for different purposes in accordance with this Privacy Policy, the longest of the applicable periods shall apply.

your personal data can be stored for a period longer than indicated in this Privacy Policy only when:

 

You, as a data subject, have rights under the GDPR, including the right:

 

You can submit your request for the exercise of your rights (as far as your Account is concerned) to us in the following ways:

If you are our customer, you can download an automatically generated copy of personal data related to your Account (i.e. data indicated in paragraphs 3.1–3.3 of the Privacy Policy) by logging to your Account in the Self-service at https://selfservice.citybee.lv/. After you log in to your Account in the Self-service at https://selfservice.citybee.lv/, select you email address at the right on the top and then click “Get my data in CityBee”.

If you do not have an Account any longer, write us at info@citybee.lv and we will send you an e-mail at your e-mail address, which you have previously indicated when registering in the Account, with information on how you can receive an automatically generated copy of your Account related personal data. 

Please note that the Self-service can be accessed, and a data copy can be downloaded only online, upon entering the address https://selfservice.citybee.lv/ in the browser. you will not be able to download a data copy via the App.

 

In case of changes in data presented by you to us (surname, e-mail address, telephone number), change of driving license data (you changed or updated your driving license) or in case you think that the information processed by us about you is inaccurate or incorrect, you have the right to demand to modify, amend or correct such information. 

You can make some corrections and changes to your data on your Account in the App (e.g. upload a new driving license after the previous license expires). In other cases, you must contact us in the ways indicated in paragraph 7.1 of the Privacy Policy and request that we correct or amend your data. 

 

In case where we process your data on the basis of your consent, you have the right to withdraw your consent at any time and data processing based on your consent will stop. 

For example, you can withdraw your consent to receive offers and information at any time. The withdrawal of these consents will not prevent you from continuing to use our Services, but this will mean that we will not be able to give offers that may be useful to you.

you have the right to withdraw consent at any time in the following ways:

 

you can opt out of push notifications:

 

you have the right to object to personal data processing, when personal data is processed based on our legitimate interests. In the event that we send you general offers and information on the basis of our legitimate interest, you have the right to opt out of general offers at any time:

 

you can opt out of push notifications in the App:

 

 

When there are certain circumstances indicated in legal acts on personal data protection (e.g. when the basis for data processing has disappeared, etc.), you have the right to request that we erase your personal data. In order to exercise this right, please contact us in the ways indicated in paragraph 7.1 of the Privacy Policy.

We will treat your request to erase all your data as a request to terminate the Services Agreement, which shall be terminated in accordance with the Terms. 

A request to erase some of the data of yours can result in suspension or termination of the Services Agreement or that we will not be able to provide all the Services to you. For example, if the driving license is removed at your request, you will be able to order and use only those Services which do not require a valid driving license. Your request to erase or change some of your data (for example, adding new payment card, removing payment card from payment methods, etc.) may result in this data no longer appearing in your Account, although we will have the right to further process such data on the grounds set out below in this section. 

If you provide us with the request to erase all or some of your data and express your wish “to be forgotten”, we will no longer process those data of yours which will no longer be necessary for the purposes for which they were collected or otherwise processed. After you have exercised the right “to be forgotten”, your personal data will be further processed for the following main purposes and on the following main grounds (the list is non-exhaustive):

If you delete (uninstall) the App, it shall not mean termination of the Services Agreement, it will continue in effect until terminated in accordance with the Terms. 

 

When there are certain circumstances indicated in personal data protection legal acts (when personal data is processed unlawfully, when you challenge data accuracy, you stated an objection to data processing on the basis of our legitimate interest, etc.), you also have the right to restrict your data processing. 

However, we must point out that, because of the restriction of data processing and during the period of such restriction, we may be unable to guarantee you all the Services, which may lead to the suspension or termination of the Services Agreement or that we will be unable to provide you with some Services. For example, if the driving license is removed at your request, you will be able to order and use only those Services which do not require a valid driving license. 

In order to exercise this right, please contact us in the ways indicated in paragraph 7.1 of the Privacy Policy. 

 

you can download an automatically generated copy of personal data related to the Account by logging into your Account in the Self-service. If you do not have an Account any longer, write us at info@citybee.lv and we will send you an e-mail at your e-mail address, which you have previously indicated when registering in the Account, with information on how you can receive an automatically generated copy of your Account related personal data. 

We will provide a data copy to you in a structured form in JSON electronic files or electronic files of another comparable format, which will enable you to move your data to another service provider.

In order to exercise this right, please contact us in the ways indicated in paragraph 7.1 of the Privacy Policy. 

 

If you think that we process your data in breach of requirements of personal data protection legal acts, we always ask that you contact us directly at first. We believe that our good will efforts will be enough to disperse any doubts you may have, to answer your questions, to satisfy requests and correct any errors we made, if any. 

If you are not satisfied with a problem solution we suggest or if, in your opinion, we are not taking actions that must be taken in order to satisfy your request, you will have the right to lodge a complaint with the Data State Inspectorate of Latvia (Datu valsts inspekcijas) (Elijas str. 17, LV-1050 Rīga, Latvia, e-mail: pasts@dvi.gov.lv).

 

In order to protect our customers’ data from illegal disclosure, upon receipt of your request to present data or implement other rights of yours, we will have to verify your identity. For identity verification, we, first of all, use the ways indicated in paragraph 7.1 of the Privacy Policy.

In those cases when you do not have an Account any more or there is no possibility to use the ways indicated in paragraph 7.1 of the Privacy Policy, in order to verify your identity, we may ask you to indicate relevant data of your Account (e.g. name, date of birth, e-mail address or telephone number). In performance of this verification, we may also send a control notification at the last contact that was in the Account (SMS or e-mail), asking to take an authorisation action, we may also request additional documents or data. If the verification procedure fails, we will be forced to state that you are not the data subject of the requested data and we will have to reject your request.

Upon receipt of your request regarding implementation of any right of yours and having successfully performed the above-indicated verification procedure, we undertake without undue delay, but in any case no later than within one month after receipt of your request and completion of the verification procedure, to give you information about actions we took with regard to your request. With regard to complexity and number of requests, we have the right to extent the period of one month for two more months, informing you about it before the end of the first month and indicating reasons for such an extension. 

If your request is submitted electronically, we will give the answer to you electronically, too, unless it is impossible (e.g. due to a particularly large scope of information) or when you request to answer you in some other way.

We have the right to refuse to satisfy your request by our reasoned written response under the conditions and grounds provided for in legal acts. We will provide you with information free of charge, however, if the requests are manifestly unfounded or disproportionate, in particular because of their repetitive content, we may require a reasonable fee to cover administrative costs or may refuse to act upon your request.

We use appropriate organizational and technical personal data security measures, including protection against unauthorized or unlawful processing of data and against accidental loss, destruction or damage. Such measures have been selected taking into account the risks that may arise for your rights and freedoms as those of a data subject.

We strictly control access to your personal data, providing it only to those employees who need personal data for the performance of their work duties, and monitor how they use the access provided. Employees who have access to personal data shall be made aware of the personal data protection requirements and shall ensure the confidentiality of the personal data processed. We provide access to personal data with passwords of the required level and prepare agreements for the protection of confidential information with individuals or partners who are given access to your personal data.

We regularly monitor our systems for possible breaches or attacks, but it is not possible to guarantee full security of information transmitted online. With this in mind, you provide us with information by use of the internet connection via the App at your sole discretion and assuming any associated risks.

In order to ensure the security of customers’ data, we constantly assess and strengthen applicable security requirements. For example, in 2020, a global change of passwords used by customers was initiated as new requirements for the complexity of passwords were introduced. At the beginning of 2021, the Company refused passwords altogether and switched to customer identification using unique PIN codes or biometric data. Please note that if you allow the App to use the device functionality that allows recognizing a fingerprint or face image, we will not receive and will not process such data (we will only process the system confirmation from your device whether the device user login was successful).

In order to ensure your data security, the Company will continue performing regular IT security audits in the future.

The data controller that processes your personal data indicated in this Privacy Policy is:

 

you can contact us on all issues concerning this Privacy Policy, data processing by SIA CityBee Latvija as follows:

by e-mail: info@citybee.lv; 

by phone: +371 272 65460. 

Also, a lot of relevant information can also be found in the FAQ section on our Website.

 

If we change this Privacy Policy, we will publish its updated version on our Website and in the App, besides, you will be additionally informed about the most important changes via e-mail and/or otherwise. The latest changes to the Privacy Policy were made and are valid from 27 October 2021.