PRIVACY POLICY
 
In this document (the “Privacy Policy”), we explain how we process personal data of our customers (“you”) when you use (a) CityBee mobile app (the “App”), (b) CityBee motor vehicles (the “Vehicle”), (c) CityBee website https://www.citybee.lv (the “Website”) and your online self-service account, and (d) when you communicate with us by phone, e-mail, social media and otherwise.
 
We process your personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, hereinafter referred to as the GDPR), other applicable legal acts in the field of personal data protection as well as this Privacy Policy.
 
In this Privacy Policy, we explain the most important concepts about protection of your personal data: the purposes and grounds on which we process your data, sources from which we receive the data and persons with whom we have the right to share them, our duties with regard to the processing of your data, your rights and how they are implemented.
 
Take your time to carefully read this Privacy Policy and, if you have any questions, please feel free to contact us. 
 
If you use the Website and/or the App, it means you have read this Privacy Policy and understood the purposes, methods and procedures for processing of your personal data specified herein. If you do not agree with the Privacy Policy, do not use the Website or the App.
 
We may combine personal data provided by you when using the App and/or the Website with data we obtain from other public and available sources (e.g. we may combine personal data provided by you with data obtained from the use of Website cookies or data lawfully received from third parties).
 
The Privacy Policy is a living, constantly changing document, therefore, we can improve, modify, update it. You will be additionally informed about critical policy changes, but we encourage reviewing this Privacy Policy from time to time. 
 
I. DEFINITIONS
 
The following terms are defined as follows in this Privacy Policy: 
  • We or Company shall mean SIA “CityBee Latvija”, a private limited liability company, established and operating under the laws of the Republic of Latvia, legal entity code 50203191721, address of registered office: Piestātnes str. 11A, LV-2015 Jūrmala, Latvia. 
  • Services shall mean all services that the Company offers and provides to you, including (i) services of lease (use), maintenance of the Vehicle and assets therein, third party liability insurance, also providing materials and fuel necessary for the use of the Vehicle and other assets for their normal purpose, (ii) services provided via the App and the Website.
  • Website shall mean the website accessible at https://www.citybee.lv.
  • Self-service shall mean online self-service, accessible at https://selfservice.citybee.lv/.
  • App shall mean CityBee software for smartphones, tablets and/or other mobile devices, which is used to perform Vehicle reservation, unlocking, locking and/or other actions provided for therein.
  • Account shall mean a digital account created in the App.
  • Terms and Conditions or Terms shall mean the Company’s Terms on Rental and Service Provision available on the App as well as Website.
  • Services Agreement shall mean the agreement on provision of the Services concluded between you and the Company in accordance with the Terms and Conditions.
Other terms shall have the meanings assigned to them and defined in the GDPR, the Terms and the Services Agreement.
In case of contradictions between this Privacy Policy and the Terms, provisions of this Privacy Policy shall prevail.
 
II. ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
 
We process your data specified in this Privacy Policy on these legal grounds:
  • for conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR);
  • for fulfilment of legal obligations and requirements of legal acts applicable to us (Article 6(1)(c) of the GDPR);
  • for pursuing our legitimate interests and those of third parties (Article 6(1)(f) of the GDPR);
  • for acting in accordance with your consent (Article 6(1)(a) of the GDPR, Article 9(2)(a) of the GDPR).
 
In the scope and under the conditions set by applicable legal acts, one or several of the abovementioned legal grounds may apply to processing of the same of your personal data.
 
III. WHAT PERSONAL DATA DO WE COLLECT AND FOR WHAT PURPOSES DO WE USE THEM? 
 
3.1. Account creation in the App
 
In order to start using the App, you must create an Account and provide us with the data specified below.
 
If you wish to rent vehicles, in order to verify your identity and your right to drive, we will need the following additional data about you: your facial image (selfie), photo of the first side of the driving license and the driving license data.
 
Before we start providing the Services, we must check whether the image of your face in the selfie made with the App coincides with the photo on the driving license and make sure that your driving license is valid.
 
If for your identity and driving license verification purposes you do not agree to provide your facial image (selfie) and driving license details through the App, you may contact us, and we will offer you an acceptable alternative.
 
If you are not a EEA citizen or personal identification number is not provided on your driving license, we (we or our partners) will contact you via a video call before we start providing the Services and will ask you to provide additional proof of identity and dictate your personal ID number or its equivalent identification number or code (e.g., in cases where a personal identification number is not issued), which we will store in our system (such video calls are not recorded and stored).
 
Account creation in the App
Data categories
In the Account creation process, you provide us with and we collect the following data: first name, surname, mobile phone number, e-mail address, address of the place of residence, payment card information (card type, card number digits, expiry date), Account creation date, date of accepting the last version of the Terms, IP address, and other technical data we have collected.
Additional data categories if you wish to use vehicles 
Your facial image (selfie), facial image with the driving licence in hand (selfie), photo of the first side of the driving license, personal ID number, other identification number (e.g., passport number) and/or date of birth, driving license number, expiry date, photo of your face and other information from the driving license, the state and the authority that issued the driving license, driving license validity verification data (we do it by involving service providers), data of matching the face image with the photo on the driving license, data that there was a video call during the Account creation process and technical data of such video call, date of uploading the driving license to the Account, other settings and system data.
Legal grounds for data processing
Conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Our legitimate interest and that of third parties (Article 6(1)(f) of the GDPR):
  • to make sure that only persons entitled to drive can order and use our Services;
  • to make sure that identity of our customers is properly verified, and that identity theft is prevented;
  • to ensure performance of contractual obligations, defence of rights;
  • to ensure pursuance of the rights and legitimate interests of our own, customers’ and other persons’.
Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas:
  • accounting, taxes, other public obligations;
  • prevention of money laundering;
  • protection of consumer rights;
  • product safety;
  • road safety, Road Traffic Regulations;
  • information security;
  • other areas relevant for us.
Your consent to process your facial image (selfie) (Article 6(1)(a) of the GDPR, Article 9(2)(a) of the GDPR).
Duration of data processing
If the Services Agreement was terminated without using the Services – during the effective term of the Services Agreement and for a maximum period of 3 months after its expiry.
In all other cases, during the effective term of the Services Agreement and for a maximum period of 5 years after its expiry.
Chapter VI of the Privacy Policy lists cases and conditions where personal data of yours can be stored or otherwise processed for a longer period of time
 
We recognise you as our customer according to data you presented during registration and creation of the Account, when, for example, you want to update or change your data, contact us for presentation of certain personal information, exercise of rights in connection with personal data processing, etc. We also use your mobile phone number, e-mail and other Account details when we need to confirm your registration, verify your identity, help you and in similar cases.
 
If during the Account creation process you have provided incomplete data or have not performed all actions necessary for access to the Services, we have the right to remind you of that and accordingly recommend you to provide the remaining data and perform remaining actions.
 
3.2. Use of the App and the Services 
 
When you use the App and the Services, we collect and process the following data:
Use of the App and the Services
Data categories related to the use of the App
Information indicated in paragraph 3.1 of the Privacy Policy.
The operating system of your device, version of the App used, technical and system data of using the App.
Internal information about your Account (Account creation date and status, customer and Account identifiers, date of adding the driving license, the fact of blocking (suspension of the Services Agreement) and the reason for it and duration of the blocking, actions of changing your Account details, actions in your Account, various systemic Account data, data about login to the Self-service and use of the Self-service, other information related to the use of the Account.
Data about your device location when using the App (date, GPS data, etc.), its operating system, version, other relevant data.
Data categories related to the use of the Services
Vehicle reservation, location and time of locking/unlocking it.
Information on the Vehicle you used, start of reservation, date and time of use, places where the Vehicle was taken and left, the Vehicle GPS data, route, speed, travel distance, duration, use of fuel and fuel card, other travel and Vehicle parameters.
Price of Services provided to you, discounts, fact of payment, fact of invoicing, fact and amount of debt, etc.Maximum customer’s limit on the amount of debt for Services provided, discounts, coupons, their validity, use.
Payments you made for our Services, travel, information about season tickets or transfers of funds to the Wallet, amount in the Wallet and information on its use, other data of performed payment transactions (date, amount, last four digits of the card used for payment, etc.). 
Information about radars set by you in the App (location, time, radius, etc.).
Your feedback on Services given in the App (date, text, etc.).
Data of periodic (regular) checking of the validity of the driving license (when you have added your driving license and plan to use vehicles).
Information on performance of the Services Agreement (violations, fines, etc.), violations of Road Traffic Regulations.
Information about the termination of the Services Agreement.
Categories of data related to the Rimi loyalty card (when applicable) Data related to the added/used Rimi loyalty card program: last 8 numbers of Rimi card, Vehicle reservation date, transaction number and amount, amount of Rimi money generated, location of store.
Categories of data used for provision of relevant information, communicating with you
Your first name, surname, mobile phone number, e-mail address, address of the place of residence, other information you provided to us.
Title of the electronic notification sent to you, notification delivery fact and date, notification opening (reading) fact and date, fact and date of opening a link in the notification content and so on.
Legal grounds for data processing
Conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Legitimate interest pursued by us or by third party (Article 6(1)(f) of the GDPR):
  • to perform risk assessment, protection of Vehicles and  other Company's assets, ensuring security of third parties and their assets;
  • to ensure road traffic safety while using our Services and Vehicles;
  • to ensure collection of fees for the Services provided, administration of debts, management of damages;
  • to ensure pursuance of our own and third parties’ rights and legitimate interests;
  • to ensure functionality of the App and information systems;
  • to ensure provision, support, improvement of the Services;
  • to ensure restrictions to access the Services in the future, as provided for in the Services Agreement;
  • to collect evidence that a notification was provided to you and that it was read (opened).
Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas (to the extent applicable):
  • accounting, taxes, other public obligations;
  • prevention of money laundering;
  • protection of consumer rights;
  • personal data protection;
  • product safety;
  • road safety, Road Traffic Regulations;
  • information security;
  • other areas relevant for us.
Duration of data processing
If the Services Agreement was terminated before you used Services under the Services Agreement – during the effective term of the Services Agreement and for a maximum period of 3 months after its expiry.
Route GPS data, speed data – no longer than 12 months after their generation.
Data about your device location when using the App (date, GPS data, etc.), except for data in connection with each reservation of Vehicle, its operating system, version, etc.. – no longer than 12 months after their generation.
Information about radars set by you in the App (date, coordinates, radius, etc.) – no longer than 12 months after their generation.
Your feedback on Services given on the App (date, text, etc.) – no longer than 12 months after it was given.
Data intended to ensure restrictions to access the Services in the future as provided for in the Services Agreement – up to 10 years, save for exceptions provided for in the Service Agreement.  
In all other cases – during the effective term of the Services Agreement and for a maximum period of 5 years after its expiry.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored and otherwise processed for a longer period of time.
 
There is an electronic system installed in each piece of Vehicle that records and transmits to us information on the location of the Vehicle, distance covered by the Vehicle, speed and other data relating to the Vehicle. We need these data in order to provide Services to you and to perform the Services Agreement otherwise.
 
If during use of the Vehicle you connect your device to the Vehicle devices (e.g. navigation, multimedia systems), your device data, e.g. the given name, contacts stored on the device and Bluetooth ID, shall be stored in the Vehicle unless you delete them following the instructions of the Vehicle manufacturer.
 
When you use the Vehicle and the Services, we have the right to periodically check the validity of your driving license. If we notice that your driving license is about to expire, we may contact you (by e-mail, SMS, push notifications, other notifications in the App) and inform you about the expiry of the driving license.
 
Collection of data about important notifications sent to you 
 
We also use your contact data (e-mail, phone number, address of the place of residence) to communicate with you, including answers to your inquiries, requests, providing information relevant to you about use of our Services, changes in the Services Agreement, Terms, pricelist and/or the Privacy Policy, to contact you if you forgot your things in the Vehicle or we have identified any problems in connection with Services provided, etc.
 
We have the right to make sure that you have been informed of the latest changes to the Services Agreement and/or the Terms and/or this Privacy Policy and to collect evidence that this type of notification has been provided and read (opened) by you. When we send you notifications of this type, we collect the above-indicated information about the notifications sent to you.
 
In exceptional cases where the electronic system installed in the Vehicle detects data that a risk could occur to you, the Vehicle and other traffic participants (e.g., high speeding), we have the right to contact you by using automatic means (e.g., automated call or text messages) and inform you about such risks (automated calls are not recorded).
 
3.3. Direct marketing, marketing 
 
3.3.1 Notifications, offers and information by e-mail, SMS, push notifications in the App
 
We process your personal data in order to be able to provide general and personal offers (including offers from our partners) and other information. We can send notifications, offers and information to you in several ways: by e-mail, SMS, InApp notifications, push notifications in the App. In order to choose notifications and offers to be sent to you, to know you and your needs better, to improve your experience while using our Services, to automate use of marketing tools for the most effective customer engagement, to expand the range of Services we offer and to constantly improve them, to give you relevant, interesting and useful offers and other information about our Services, we analyse data related to customers’ behaviour on the App, patterns of use of our Services and/or other signs, and will use such data to group customers. For these purposes, we use advanced data analytics tools (such as CleverTap), which are based on automated data analysis.
 
For the above-indicated purposes, we process the following data of yours:
 
Notifications, offers and information by e-mail, SMS, push notifications, etc.
Data categories
Your name, surname, e-mail address and/or telephone number; customer identifier, date of birth, login type; country, city; age, customer registration date, type (private/business customer), status (complete/incomplete); the App version; operating system; direct marketing consents; whether the customer added the driving license, payment card; the number of trips per period; amount of money spent on the Services; date, time and place of the trip; Vehicle used.
Legal grounds for data processing
Our legitimate interest (Article 6(1)(f) of the GDPR, Article 13(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), paragraph 3 of § 1031 of the Electronic Communications Act):
  • to send you general and personalized offers and information;
  • to send you push notifications in the App;
  • to perform automation of marketing tools.
Your consent (Article 6(1)(a) of the GDPR) to receive our partners’ offers and information, also, as much as applicable, consents presented by you before the effective date of this Privacy Policy to receive direct marketing notifications.
Duration of data processing
We will store the fact of consent during the period of validity of the consent and for 24 months after its expiry (your consents given before this Privacy Policy shall continue in effect until they are withdrawn. you will be able to withdraw them at any time under the procedure set in Chapter VII of the Privacy Policy. Besides, before we start obtaining updated consents, we will continue to obtain consents according to our old Privacy Policy (last updated on 14 January 2021)). The consent validity period shall be up to 36 months, unless it is withdrawn by you earlier.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
The actions described above do not have any legal or similarly significant impact on you, but they will allow us to better understand your needs, interests and hobbies, create and offer you a wider range of Services that meet your needs better, install the App updates you anticipate, provide a better-quality experience of using our Services.
 
You can easily object to sending of notifications with offers and information in the App settings in the Account creation process or you can easily unsubscribe from them at any time later by clicking on the unsubscribe link in the App or in newsletters sent to you, see also Chapter VII of the Privacy Policy (paragraph 2 of Article 9 of Law On Information Society Services of the Republic of Latvia). You can object to sending of push notifications in the App, which are enabled for all customers be default, in the App settings in the Account creation process or at any time later, see also Chapter VII of the Privacy Policy (paragraph 2 of Article 9 of Law On Information Society Services of the Republic of Latvia).
 
3.3.2. Optimisation of the marketing tools
 
In order to improve the efficiency of the management of our various marketing tools, we use Apps Flyer and other advanced tools to help us collect your data related to your behaviour in the App and/or interest in our ads displayed on websites of third parties (Apps Flyer and similar partner platforms), our offers or other our marketing tools. For this purpose, we may analyse the data collected and evaluate the effectiveness, efficiency and payback of our marketing decisions (e.g. evaluate channels where ads are displayed, their number, etc.) and make better marketing decisions for the sake of more efficient re-attracting of customers.
 
Data are obtained in the App with the help of the integrated data collection technology. Data are generated when you use the App and/or Apps Flyer or apps and websites of other partner platforms of Facebook and Google.
 
For analysis and advertising purposes, we also use third party tools such as Google FireBase, Google Ads, Google Analytics, Facebook Ads Manager, in order to collect aggregated and anonymised information on how individuals use the App, to understand how we can improve it and provide up-to-date non-personalized advertising about our services.
The listed means and tools will help us better understand your needs, interests and hobbies, which in its own turn will allow us to create and offer you a wider range of Services that meet your needs better, install the App updates you anticipate, provide a better-quality experience when you use the App and our Services.
For the above-indicated purposes, we collect and process the following data of yours:
 
Optimisation of the marketing tools
Data categories  
Technical information related to the customer’s device, such as browser type, device type and model, processor, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion or other parameters.
Technical identifiers that normally identify only a computer, device, browser or program, such as an IP address, User agent, IDFA (identifier for advertisers), Android ID (in Android devices); Google advertiser ID, other similar unique identifiers.
Engagement information, i.e. information related to ad campaigns and ultimate actions of the customer, such as clicks on ads, display of revised ads, audiences or segments to which the ad campaign is assigned, the type of ads and a website or program where such ads were displayed, websites visited by the end user, URL from the referring site, downloads and installs of the program, and other interactions, events and customer actions in the program (e.g. selected vehicle, booked trips, clicks, entry time, etc.).
Data categories  (Google FireBase, Google Analytics)
Data on how you use the App.
Legal grounds for data processing
(1) Your consent:
(Article 6(1)(a) of the GDPR):
  • your consent for us to use Apps Flyer or another marketing optimisation tool for your data in the App.
(2) Our legitimate interest: 
(Article 6(1)(f) of the GDPR);
(Article 13(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), paragraph 2 of Article 9 of Law On Information Society Services of the Republic of Latvia) – to the extent applicable).
  • to group and categorise customers, test marketing tools used and organise automated use of marketing tools for the most effective customer engagement.
Duration of data processing
No longer than 24 months after data are collected. We will store the fact of consent during the period of its validity and for 24 months after it expires.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
For more information on how Apps Flyer tool works and what data it collects, go to Apps Flyer privacy policy:
https://www.appsflyer.com/services-privacy-policy/.
 
You can read more information on how Google collects and uses these data in the Google privacy policy:
https://policies.google.com/privacy?hl=en.
 
3.3.3. Marketing on social media 
 
We administer our profiles and accounts on social networks:
https://www.facebook.com/CityBeeEstonia,
https://www.instagram.com/citybeeestonia/,
https://www.linkedin.com/company/citybee-car-sharing etc.
 
If you are interested in our Services and follow our profiles on social media, we collect and process these data of yours (which we obtain directly from you (in the social media account), so that we can manage our social media accounts).
 
Marketing in social media
Data categories
Name, surname, gender, country, photograph, information about communication in the account (“like”, “follow”, “comment”, “share”, etc.), notifications sent, information on notifications (message receipt time, message content, message attachments, correspondence history, etc.), comments, reactions to published entries, sharing, information on participation in events and/or games organized by us.
Legal grounds for data processing
Your consent (Article 6(1)(a) of the GDPR).
Our legitimate interest to manage our social media profiles (Article 6(1)(f) of the GDPR), Facebook Insights, etc.
Duration of data processing
During the period of consent validity and for 24 months after it expires.
Personal data used for this purpose shall be stored as long as you are registered on a specific social network.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
We can create and manage our fan pages or groups on the Facebook platform. Facebook and we are jointly responsible only for data processing of Facebook Insight (https://lv-lv.facebook.com/help/pages/insights) (Article 26(1) of the GDPR) and only to the extent these data are used to create “page insights” and only concerning steps from data collection from our fan page to their transfer to Facebook. As for any other data processing, we and Facebook are independent controllers.
 
Data processing of our fan page visitors is intended for statistical assessment of the use of such page. All information obtained with Facebook tools is linked to Facebook Insight tool, which provides us with anonymised information about pages you visit and your activeness (e.g. at what time you and other visitors pay attention to videos, when you read longer notifications, when your top activeness on a social network is recorded). These data are used to improve the content placed on the fan page and your experience of using it and to select marketing tools.
 
Please note that the Company’s fan page is integrated into the Facebook platform, therefore Facebook has all the possibilities to collect your other personal data, as well. Detailed information about the data processing activities of Facebook, the purposes and scope of data use related to the data provided by you can be found at: http://www.facebook.com/policy.php.
 
If you want to exercise your rights in connection with these data, it would be more effective for you to contact Facebook directly. If you still need help to exercise your rights, you can contact us in the ways provided in Chapter VII of the Privacy Policy.
 
3.4. Statistics, analytics, customer behaviour research 
 
In order to monitor, evaluate, analyse, improve and further the quality of Services provision, the App, offer new Services or new quality Services, increase the availability of Services, improve the security of use of the Services, improve user experience when using the Services, we analyse various statistical data.
 
Statistics, analytics, customer behaviour research
Data categories
Vehicle reservations, time and place of their locking/unlocking, Vehicle information, start of reservation, date and time of use, places where Vehicle was taken and left, Vehicle GPS data, route, speed, travel distance, duration, use of fuel and fuel card, other travel parameters, travel history, telemetric data, etc.
Legal grounds for data processing
Our legitimate interest to analyse data, install and use data analysis and processing modules and methods in order to create, increase value both for you as a customer and for our business (Article 6(1)(f) of the GDPR).
Duration of data processing
No longer than 36 months after the data is generated.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
The Company, as a socially responsible business entity, is implementing the mission to contribute to road safety, responsible and careful driving and a safe and healthy society. The methods and modules used to analyse data will enable us to predict, identify dangerous driving, identify drivers under the influence, which will allow to reduce accident statistics, prevent or reduce losses due to accidents, will contribute to responsible, safe and polite participation in traffic.
We use automated data analysis tools based on the latest scientific achievements (including artificial intelligence) to conduct these data research, introduce and use data analysis and processing modules and methods.
Data analysis actions, performed for the purposes described in this chapter, do not have any legal or comparable significant effect on you.
 
3.5. Operation and security of the App, information systems
 
We process your personal data to identify potential threats of abuse of the Services, fraud or other illegal activities, to protect the App, the Website, information systems and data from unauthorized modifications, cyber-attacks, unauthorized access and other related risks, ensure the operation, integrity, security of the App and information systems. We register information about your and our actions in the App, in the Account, on the Website:
 
Operation and security of the App, information systems
Data categories
Data about login to the App, data about the device operating system, entry, use, change of the Account, data or other activities on the App, in the Account, log entries, changes and their history, settings, other system parameters.
Legal grounds for data processing
Conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Legitimate interest pursued by us or by third party (Article 6(1)(f) of the GDPR):
  • to ensure security, resilience, recoverability, traceability, integrity, functioning of actions, operations of the App and information systems;
  • to ensure uninterrupted provision of our Services, their support and improvement.
Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas:
  • personal data protection;
  • information security;
  • other areas relevant for us.
Duration of data processing
Logs and related entries – up to 3 months.
If the Services Agreement was terminated before you used Services – during the effective term of the Services Agreement and up to 3 months after its expiry.
In all other cases – during the effective term of the Services Agreement and for a maximum period of 5 years after its expiry.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
If we notice actions in your Account that we find suspicious, we may ask you to do certain actions (e.g. check your e-mail accounts, change PIN, etc.).
 
3.6. Prevention of fraud, enforcement of legal requirements, administration of debts and damages
 
We process your personal data in order to implement our legal requirements and defence of legitimate interests (including fraud prevention), protect our property and interests and those of our customers and other persons, collect evidence of violations and prevent the abuse of our interests, those of our customers and other persons, abuse of the App, the Website, Vehicle, our Services, also to administer, manage and recover your debts and damages inflicted on us and our property.
 
Prevention of fraud, enforcement of legal requirements, administration of debts and damage 
Data categories
Information on your debt to the Company, including the debt amount, date, history, information on performance of the Services Agreement, violations of Road Traffic Regulations, damage to the Company, Vehicle, third parties, insured events related to you, other related information.
Information on the suspension of the Service Agreement, blocking of the Account, termination of the Service Agreement.
Data about you from public registers and information systems lawfully available to our service providers (involved in debt administration, administration of damages, debt recovery).
Fines and/or debt recoveries for car parks rules violations (private and public).
Information about inquiries, requests, information, etc. provided by companies (e.g. insurance companies), authorities (e.g. police), medical institutions, other organisations (e.g. organisations maintaining lists of persons with psycho-neurological, toxicological, drug abuse problems).
Information on assets, driving licence data, information about other persons that were in the Vehicle and/or were driving it (in case of damage, violations of the Road Traffic Regulations, etc.).
All other personal data specified in this Privacy Policy.
Legal grounds for data processing
Our legitimate interest (Article 6(1)(f) of the GDPR):
  • to perform risk assessment and management;
  • to ensure protection of our property, property interests and those of our customers, other persons;
  • to ensure collection of fees for the Services provided, administration of debts, management of damages;
  • to ensure prevention of fraud, other actions of bad faith;
  • to administer, manage and recover your debts and damages inflicted on us and our property;
  • to ensure pursuance of our rights and legitimate interests.
Conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Duration of data processing
During the entire effective term of the Services Agreement and for a maximum period of 5 years after its expiry.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
We have the right, to the extent permitted by applicable legal acts and in the light of our legitimate interests, to analyse and evaluate the above data and to make decisions based on them that may affect how we will provide Services to you (if you use our Services) and whether we will provide them. If we have reasonable doubts about your ability to pay for our Services or other reasonable doubts about data and information provided by you when you are registering in the App and/or use our Services, we will have the right, based on our legitimate interest, to request our service providers to provide or to access lawfully accessible data about you on our own (including your credit rating, etc.) and evaluate them for the purposes of prevention of fraud, other actions of bad faith, for assessing your solvency, for debt management and/or recovery.
 
3.7. Website administration, support, improvement
 
When you visit and browse our Website, for the purpose of collecting statistical data and improving the quality of Services and visitor experience, we process the following data:
 
Website administration, support, improvement
Data categories
IP address, MAC address, date of visit, duration of visit, pages visited, devices and applications used for web browsing, etc.
Legal grounds for data processing
Your consent (Article 6(1)(a) of the GDPR).
Our legitimate interest to analyse data in order to administer, improve the Website operation, improve our activities and create value both for you as a customer and for our business (Article 6(1)(f) of the GDPR).
Duration of data processing
See the Cookie Policy.
 
Cookies are used on the Website. More information on cookies used on the Website can be found in our Cookie Policy.
 
We use the analytical service Google Analytics, which allows to capture and analyse statistical data on the use of the Website. More information about Google Analytics and information collected with its tools can be found at:
https://support.google.com/analytics/answer/9019185?hl=en&ref_topic=2919631#zippy=%2Cin-this-article.
 
If you do not want Google Analytics tools to capture your browsing information, you can use Google Analytics opt-out browser add-on or change your cookie settings.
 
3.8. Customer service – inquiries, requests, complaints
 
If you contact our customer service centre by phone and agree that your telephone call is recorded, we will record the information you provide, including personal data, so that we can properly examine your request and/or respond to your inquiry.
 
If you contact us in writing (by e-mail or otherwise), we will store the fact of you contacting us and the information provided, including personal data, so that we can properly examine your request and/or respond to your question, request or complaint.
 
For the above-indicated customer service purposes, we will use the following data:
 
Customer service – inquiries, requests, complaints
Data categories
The telephone number you are calling from or the e-mail address, other information pertaining to your inquiry, including, but not limited to, first name, surname, licence plate number of the vehicle you drive, break-down, traffic accident data, inquiry content, etc.; call record, technical details of the call (date, duration, etc.); history of calls; complaint, request, inquiry text, description of the circumstances of the complaint or another inquiry, documents supporting the complaint, request, inquiry, other information provided to us.
Legal grounds for data processing
Your consent (Article 6(1)(a) of the GDPR).
Conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Duration of data processing
Call records are stored for a maximum period of 6 months from the moment of the call.
Complaints, claims, written requests related to the performance of the Services Agreement and/or which may be related to disputes, shall be stored throughout the entire effective term of the Services Agreement and no longer than for 5 years after its expiry, unless longer periods specified below apply.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
3.9. Compliance with tax, accounting, other statutory obligations 
 
In order to be able to ensure proper implementation of tax, accounting, other statutory obligations (i.e. correct issuance of accounting documents and their declaration to public authorities, implementation of anti-money laundering requirements, etc.), we process the following personal data of yours:
 
Compliance with tax, accounting, other statutory obligations
Data categories
First name, surname, address, personal ID number, VAT number (when a person is registered as a VAT payer), data about the Service (Service description; price/amount paid), issued accounting documents and their details, other accounting and tax data that we must collect, process and store under laws and other legal acts.
Legal grounds for data processing
Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR):
  • accounting, taxes, other public obligations;
  • prevention of money laundering (to the extent applicable);
  • protection of consumer rights;
  • product safety;
  • information security;
  • other areas relevant for us.
Our legitimate interest to store accounting data and records (Article 6(1)(f) of the GDPR).
Duration of data processing
Up to 10 years as of the date of accounting documents, invoices, etc.
The periods of storage, archiving and management of documents of the Company apply and are set according to effective legal acts, in compliance with requirements of the Index of the General Document Storage Periods, as approved by the National Archives of Latvia, and other documents and/or recommendations.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
3.10. Business Customers’ Accounts
 
If the Services Agreement is concluded with us by a business customer (company, institution, organisation) (hereinafter – Business Customer), we process personal data of representatives of such Business Customer, as indicated below.
 
We also process any other personal data referred to in paragraphs 3.1–3.9 of this Privacy Policy about employees or representatives of Business Customers, who use our App and Services.
 
Business Customers’ Accounts
Data categories
Name, address, legal entity code of the Business Customer (company), first name, surname, title, e-mail address, telephone number of the person responsible for the performance of the Services Agreement, other information; VAT number (when the entity is registered as a VAT payer), data of the payment card used (card type, last four digits of the card number, expiry date), bank account data.
Data categories – employees and representatives of Business Customers
Personal data indicated in paragraphs 3.1–3.9 of this Privacy Policy.
Legal grounds for data processing
Conclusion, performance, amendment and administration of the Services Agreement (Article 6(1)(b) of the GDPR).
Legitimate interest pursued by us or by third party (Article 6(1)(f) of the GDPR):
  • to perform risk assessment, protection of our assets, ensuring security of third parties and their assets;
  • to ensure collection of fees for the Services provided, administration of debts, management of damages;
  • to ensure pursuance of our own and third parties’ rights and legitimate interests;
  • to ensure functionality of the App and information systems;
  • to ensure prevention of fraud, other actions of bad faith;
  • to administer, manage and recover your debts and damages inflicted on us and our property;
  • to ensure provision of the Services, support, improvement.
Legal obligations and requirements of legal acts (Article 6(1)(c) of the GDPR) in the following areas:
  • accounting, taxes, other public obligations;
  • prevention of money laundering;
  • protection of consumer rights;
  • information security;
  • other areas relevant for us.
Duration of data processing
During the entire effective term of the Services Agreement and for a maximum period of 5 years after its expiry.
Periods indicated in relevant paragraphs 3.1–3.9 of this Privacy Policy.
Chapter VI of the Privacy Policy lists cases and conditions when these personal data of yours can be stored or otherwise processed for a longer period of time.
 
Our Business Customers shall ensure and undertake that:
 
  • their employees and representatives are informed that a representative of the Business Customer will have a possibility to see, process data on their trips and Services provided to them when they use the Business Customer’s Account;
  • their employees and representatives would get familiar with and properly comply with conditions and requirements of the Services Agreement, the Terms and this Privacy Policy.
 
Representatives, employees of Business Customers have all rights of data subjects provided for in Chapter VII of this Privacy Policy.
 
In the event that Business Customers act as data controllers for their employees, representative and other agents, we are not responsible for such processing operations and the provisions of this Privacy Policy do not apply to such processing operations.
 
Business Customers acknowledge and understand that all actions taken by their employees and representatives or other persons that they perform or allow others to perform by downloading, installing, accessing, using our App, Account, Services and Vehicle, are legitimate and appropriate and assume liability for them.
 
IV. FROM WHAT SOURCES DO WE OBTAIN YOUR DATA?
 
We receive almost all of your personal data from you: when you download the App, create an Account, use the App, the Account, Services and in other cases, also as explained in more detail in Chapter III of this Privacy Policy.
Data we receive from you indirectly under a legitimate basis (the list is non-exhaustive):
  • data of periodic (regular) verification of driving license validity;
  • information on violations of Road Traffic Regulations, traffic accidents, damage to the Company, Vehicle, third parties;
  • information on your payment transactions that we receive from providers of payment services;
  • information about inquiries, requests, information, etc. provided by companies (e.g. insurance companies), authorities (e.g. police).;
  • your data lawfully accessed by providers of debt, damages management, administration, credit rating and/or debt recovery services, other service providers;
  • data transferred by providers of internet services, communication services when you use the internet, communications;
  • information we receive from service providers, partners, competent authorities (e.g. when the State Data Protection Inspectorate performs an investigation), other data controllers indicated in Chapter V of the Privacy Policy;
  • information we receive from public registers and information systems.
 
V. DO WE SHARE YOUR DATA WITH OTHERS?
 
The Company has involved various service providers (e.g. providers of server hosting, data centres, cloud computing, support, IT, identity verification, document validity verification, intermediation, payments, audit, accounting, legal, tax advisory services, administration of damages, debt collection, analytics, direct marketing, e-mail, SMS messaging, customer service, call centre and other services).
Data processors we use are usually located in the Member States of the European Union or store data entrusted to them by the Company in the European Union. Only a few carefully selected data processors (such as Google, Apps Flyer, CleverTap) process data outside the European Union. In addition, when we manage our social media accounts, we receive and provide data to social network platform operators (e.g. LinkedIn, Facebook, Google), which also operate outside the European Union, e.g. in the USA. We closely follow practices of data protection supervisory authorities and the guidelines on the transfer of data outside the European Union, and we diligently consider conditions, under which data are transferred and may be subsequently processed and stored after the transfer outside the European Union. To ensure an adequate level of security of data and to guarantee legitimate transfer of data, we conclude Standard Contractual Clauses approved by the European Commission for data transfer outside the European Economic Area (EEA) or follow other grounds and conditions set out in the GDPR.
We use cloud computing solutions (e.g. Microsoft Azure) for data processing. Servers / storage facilities for the cloud computing solutions used are located and operate in the Member States of the European Union. Microsoft Azure database data are stored in data centres located in the EEA Member States (see more at https://azure.microsoft.com/en-us/global-infrastructure/geographies/).
Data processors can process your personal data only according to our instructions. Besides, they must ensure security of your data in accordance with applicable legal acts and agreements concluded with us.
If necessary and legally justified, we also provide your data to service providers that are separate data controllers, also to competent authorities, institutions, organisations, also other data controllers who are entitled to receive information in accordance with applicable legal acts and/or our legitimate interests (Article 6(1)(b) of the GDPR, Article 6(1)(a) of the GDPR, Article 6(1)(c) of the GDPR, Article 6(1)(e) of the GDPR, Article 6(1)(f) of the GDPR) (the list is non-exhaustive):
  • we contact (or that is done by service providers selected by us) the authority that issued the driving license to make sure that the driving license you have presented is valid;
  • in the event of a traffic accident, your data will be transferred to insurance companies and, if necessary, to other parties involved in the traffic accident;
  • based on Vehicle data available to us, we have the right and, in certain cases, an obligation to transfer information about violations of Road Traffic Regulations (e.g. about speeding, driving under the influence) to competent authorities (e.g., the police);
  • based on Vehicle data, we have the right and, in certain cases, an obligation to provide information about a person who has violated car parks rules (e.g., when you leave private / public parking without paying the parking fee) to car park managers, operators or debt recovery companies;
  • we have the right and the obligation to transfer information to the competent authorities (pre-trial investigation bodies, etc.) for the purposes of prevention of fraud, offence and crime prevention and investigation;
  • if you fail to meet your financial obligations under the conditions of the Services Agreement and the Terms and do not pay your debt within the time limit specified in the notice, we have the right to transfer data on your debt and your personal data (including first name, surname, personal ID number and other data proving the debt) to persons with legitimate interest in obtaining such data for the purposes of debt management, administration, credit rating and/or debt recovery;
  • your personal data may also be transferred to other data controllers (insurance companies, vehicle maintenance service providers or other additional service providers) if you order additional services, as well as to providers of vehicle financial lease services, credit institutions;
  • your personal data may also be transferred to other Citybee group companies (CityBee Eesti OÜ, Prime Leasing UAB) to ensure effective implementation of suspension and administration of the right to use the Services as provided for in the Services Agreement, as well as in other cases provided for in the Services Agreement.
  • we provide data to service providers that are separate controllers of your data (partners whose offers you have agreed to receive, etc.).
  • in case of adding Rimi card, we also share Categories of data related to the Rimi loyalty card information (3.2.) with Rimi card owner.
 
With your consent, your data may be disclosed to persons you have indicated.
 
VI. HOW LONG DO WE STORE YOUR PERSONAL DATA?
 
Personal data specified in this Privacy Policy shall be stored and otherwise processed for no longer than the period specified in Chapter III of this Privacy Policy for each relevant data category and for no longer than necessary to achieve the purposes for which the data were collected.
In those cases when the data storage period is not indicated in this Privacy Policy, your data will be stored no longer than necessary for achievement of the purposes, for which the data were collected, or for a period set by legal acts.
After the end of your data processing and storage period set in this Privacy Policy, we destroy your data or anonymise them irreversibly and reliably as soon as possible, within a period reasonably necessary for performance of such an action.
If different processing or storage periods can be applied to the same data category for different purposes in accordance with this Privacy Policy, the longest of the applicable periods shall apply.
your personal data can be stored for a period longer than indicated in this Privacy Policy only when:
  • your data is necessary for the proper administration of the debt, damages (for example, you have not fulfilled your financial and/or property obligations or caused damage to us or other persons), examination and settlement of a dispute, complaint, the protection of our legitimate interests or those of third parties;
  • that is necessary in order that we could defend ourselves from existing or threatening demands, claims or legal actions and exercise our rights;
  • there are reasonable suspicions of violations, illegal activities, which are or may be a subject to investigation;
  • this is necessary for ensuring the functioning, resilience, integrity of backup copies, information systems, traceability of operations, statistical and other similar purposes;
  • there are other grounds provided for in legal acts.
 
VII. WHAT RIGHTS DO YOU HAVE?
 
You, as a data subject, have rights under the GDPR, including the right:
  • to request access to your personal data and get their copy;
  • to request rectification or restriction of inaccurate or incomplete personal data;
  • to request deletion or restriction of personal data which are excessive or unlawfully processed;
  • to object to the processing of your personal data;
  • to request transfer of your personal data provided in a structured, machine-readable format;
  • to withdraw your consent at any time if data processing is based on the data subject’s consent. Withdrawal of the data subject’s consent shall not affect lawfulness of data processing before the withdrawal of the consent;
  • to file a complaint with the Data State Inspectorate of Latvia (Datu valsts inspekcijas) (Elijas str. 17, LV-1050 Rīga, Latvia, e-mail: pasts@dvi.gov.lv), but we would recommend contacting us first and we will try to resolve all your concerns together with you.
 
7.1. How can you contact us to exercise of your rights?
 
You can submit your request for the exercise of your rights (as far as your Account is concerned) to us in the following ways:
  • submitting a request by e-mail at dpo@citybee.lv, signed with qualified e-signature (e.g. by use of Smart-ID or M-signature), or
  • sending a request by e-mail at dpo@citybee.lv with a notarised copy of the personal ID document, or
  • arriving at our customer service department (in such a case, we will ask to produce a personal ID document).
 
7.2. The right to access data processed and the right to obtain a copy of personal data
 
If you are our customer, you can download an automatically generated copy of personal data related to your Account (i.e. data indicated in paragraphs 3.1–3.3 of the Privacy Policy) by logging to your Account in the Self-service at https://selfservice.citybee.lv/. After you log in to your Account in the Self-service at https://selfservice.citybee.lv/, select you email address at the right on the top and then click “Get my data in CityBee”.
If you do not have an Account any longer, write us at dpo@citybee.lv and we will send you an e-mail at your e-mail address, which you have previously indicated when registering in the Account, with information on how you can receive an automatically generated copy of your Account related personal data.
Please note that the Self-service can be accessed, and a data copy can be downloaded only online, upon entering the address https://selfservice.citybee.lv/ in the browser. you will not be able to download a data copy via the App.
 
7.3. Right to rectification of personal data
 
In case of changes in data presented by you to us (surname, e-mail address, telephone number), change of driving license data (you changed or updated your driving license) or in case you think that the information processed by us about you is inaccurate or incorrect, you have the right to demand to modify, amend or correct such information.
You can make some corrections and changes to your data on your Account in the App (e.g. upload a new driving license after the previous license expires). In other cases, you must contact us in the ways indicated in paragraph 7.1 of the Privacy Policy and request that we correct or amend your data.
 
7.4. Right to withdraw the consent
 
In case where we process your data on the basis of your consent, you have the right to withdraw your consent at any time and data processing based on your consent will stop.
For example, you can withdraw your consent to receive offers and information at any time. The withdrawal of these consents will not prevent you from continuing to use our Services, but this will mean that we will not be able to give offers that may be useful to you.
You have the right to withdraw consent at any time in the following ways:
  • by phone: +371 272 65460;
  • by e-mail: dpo@citybee.lv;
  • by clicking on the link “Unsubscribe from newsletters” in the e-mail at any time; or
  • by opting out of receipt of marketing notifications in the Account settings in the App.
 
You can opt out of push notifications:
 
  • by opting out of push notifications in the Account settings in the App;
  • by changing the operating system settings in your device.
 
7.5. Right to object to data processing, when processing is based on legitimate interests
 
You have the right to object to personal data processing, when personal data is processed based on our legitimate interests. In the event that we send you general offers and information on the basis of our legitimate interest, you have the right to opt out of general offers at any time:
  • by phone: +371 272 65460;
  • by e-mail: dpo@citybee.lv;
  • by clicking on the link “Unsubscribe from newsletters” in the e-mail at any time;
  • by opting out of receipt of marketing notifications in the Account settings in the App.
 
You can opt out of push notifications in the App:
 
  • by opting out of push notifications in the Account settings in the App;
  • by changing the operating system settings in your device.
 
7.6. Right to erasure (right to be forgotten)
 
When there are certain circumstances indicated in legal acts on personal data protection (e.g. when the basis for data processing has disappeared, etc.), you have the right to request that we erase your personal data. In order to exercise this right, please contact us in the ways indicated in paragraph 7.1 of the Privacy Policy.
We will treat your request to erase all your data as a request to terminate the Services Agreement, which shall be terminated in accordance with the Terms.
A request to erase some of the data of yours can result in suspension or termination of the Services Agreement or that we will not be able to provide all the Services to you. For example, if the driving license is removed at your request, you will be able to order and use only those Services which do not require a valid driving license. Your request to erase or change some of your data (for example, adding new payment card, removing payment card from payment methods, etc.) may result in this data no longer appearing in your Account, although we will have the right to further process such data on the grounds set out below in this section.
If you provide us with the request to erase all or some of your data and express your wish “to be forgotten”, we will no longer process those data of yours which will no longer be necessary for the purposes for which they were collected or otherwise processed. After you have exercised the right “to be forgotten”, your personal data will be further processed for the following main purposes and on the following main grounds (the list is non-exhaustive):
  • for the purposes of meeting accounting, tax requirements, personal data will be further processed according to Article 6(1)(c) of the GDPR (data processing is necessary to fulfil the legal obligation imposed on the data controller);
  • GPS (location) data will be further processed according to Article 6(1)(f) of the GDPR (data processing is necessary in pursuance of legitimate interests of the data controller or a third party);
  • in order to manage customers’ complaints and other requests and inquiries, personal data will be processed according to Article 6(1)(b) of the GDPR (it is necessary to process data in order to fulfil the contract, a party to which the data subject is);
  • in order to ensure restrictions to access the Services in the future, as provided for in the Services Agreement, data (the reason, data, duration of termination of the Services Agreement, your certain identification data, etc.) will be stored and processed according to Article 6(1)(f) of the GDPR (data processing is necessary in pursuance of legitimate interests of the data controller or a third party);
  • in case of disputes, administration of damages and debts, in order to pursue our other legal claims and protect our rights, data will be further processed according to Article 6(1)(f) of the GDPR (data processing is necessary in pursuance of legitimate interests of the data controller or a third party).
If you delete (uninstall) the App, it shall not mean termination of the Services Agreement, it will continue in effect until terminated in accordance with the Terms.
 
7.7. Right to restriction of data processing
 
When there are certain circumstances indicated in personal data protection legal acts (when personal data is processed unlawfully, when you challenge data accuracy, you stated an objection to data processing on the basis of our legitimate interest, etc.), you also have the right to restrict your data processing.
However, we must point out that, because of the restriction of data processing and during the period of such restriction, we may be unable to guarantee you all the Services, which may lead to the suspension or termination of the Services Agreement or that we will be unable to provide you with some Services. For example, if the driving license is removed at your request, you will be able to order and use only those Services which do not require a valid driving license.
In order to exercise this right, please contact us in the ways indicated in paragraph 7.1 of the Privacy Policy.
 
7.8. Right to data portability
 
You can download an automatically generated copy of personal data related to the Account by logging into your Account in the Self-service. If you do not have an Account any longer, write us at dpo@citybee.lv and we will send you an e-mail at your e-mail address, which you have previously indicated when registering in the Account, with information on how you can receive an automatically generated copy of your Account related personal data.
We will provide a data copy to you in a structured form in JSON electronic files or electronic files of another comparable format, which will enable you to move your data to another service provider.
In order to exercise this right, please contact us in the ways indicated in paragraph 7.1 of the Privacy Policy.
 
7.9. Right to lodge a complaint 
 
If you think that we process your data in breach of requirements of personal data protection legal acts, we always ask that you contact us directly at first. We believe that our good will efforts will be enough to disperse any doubts you may have, to answer your questions, to satisfy requests and correct any errors we made, if any.
If you are not satisfied with a problem solution we suggest or if, in your opinion, we are not taking actions that must be taken in order to satisfy your request, you will have the right to lodge a complaint with the Data State Inspectorate of Latvia (Datu valsts inspekcija) (Elijas str. 17, LV-1050 Rīga, Latvia, e-mail: pasts@dvi.gov.lv).
 
7.10. Examination procedure of requests
 
In order to protect our customers’ data from illegal disclosure, upon receipt of your request to present data or implement other rights of yours, we will have to verify your identity. For identity verification, we, first of all, use the ways indicated in paragraph 7.1 of the Privacy Policy.
In those cases when you do not have an Account any more or there is no possibility to use the ways indicated in paragraph 7.1 of the Privacy Policy, in order to verify your identity, we may ask you to indicate relevant data of your Account (e.g. name, date of birth, e-mail address or telephone number). In performance of this verification, we may also send a control notification at the last contact that was in the Account (SMS or e-mail), asking to take an authorisation action, we may also request additional documents or data. If the verification procedure fails, we will be forced to state that you are not the data subject of the requested data and we will have to reject your request.
Upon receipt of your request regarding implementation of any right of yours and having successfully performed the above-indicated verification procedure, we undertake without undue delay, but in any case no later than within one month after receipt of your request and completion of the verification procedure, to give you information about actions we took with regard to your request. With regard to complexity and number of requests, we have the right to extent the period of one month for two more months, informing you about it before the end of the first month and indicating reasons for such an extension.
If your request is submitted electronically, we will give the answer to you electronically, too, unless it is impossible (e.g. due to a particularly large scope of information) or when you request to answer you in some other way.
We have the right to refuse to satisfy your request by our reasoned written response under the conditions and grounds provided for in legal acts. We will provide you with information free of charge, however, if the requests are manifestly unfounded or disproportionate, in particular because of their repetitive content, we may require a reasonable fee to cover administrative costs or may refuse to act upon your request.
 
VIII. HOW DO WE ENSURE THE SECURITY OF YOUR PERSONAL DATA?
 
We use appropriate organizational and technical personal data security measures, including protection against unauthorized or unlawful processing of data and against accidental loss, destruction or damage. Such measures have been selected taking into account the risks that may arise for your rights and freedoms as those of a data subject.
We strictly control access to your personal data, providing it only to those employees who need personal data for the performance of their work duties, and monitor how they use the access provided. Employees who have access to personal data shall be made aware of the personal data protection requirements and shall ensure the confidentiality of the personal data processed. We provide access to personal data with passwords of the required level and prepare agreements for the protection of confidential information with individuals or partners who are given access to your personal data.
We regularly monitor our systems for possible breaches or attacks, but it is not possible to guarantee full security of information transmitted online. With this in mind, you provide us with information by use of the internet connection via the App at your sole discretion and assuming any associated risks.
In order to ensure the security of customers’ data, we constantly assess and strengthen applicable security requirements. For example, in 2020, a global change of passwords used by customers was initiated as new requirements for the complexity of passwords were introduced. At the beginning of 2021, the Company refused passwords altogether and switched to customer identification using unique PIN codes or biometric data. Please note that if you allow the App to use the device functionality that allows recognizing a fingerprint or face image, we will not receive and will not process such data (we will only process the system confirmation from your device whether the device user login was successful).
In order to ensure your data security, the Company will continue performing regular IT security audits in the future.
 
IX. YOU CAN CONTACT US AS FOLLOWS:
 
The data controller that processes your personal data indicated in this Privacy Policy is:
 
  • SIA “CityBee Latvija”, legal entity code 50203191721, address: Piestātnes str. 11A, LV-2015 Jūrmala, Latvia.
Data Protection Officer
In compliance with the requirements of the GDPR, we have appointed a Data Protection Officer who can be contacted on all issues concerning this Privacy Policy and all other matters relating to data processing by SIA “CityBee Latvija”.
Contact information of the Data Protection Officer:
Email: dpo@citybee.lv;
Phone: +371 272 65460.
Also, a lot of relevant information can also be found in the FAQ section on our Website.
 
X. VALIDITY AND CHANGES TO THE PRIVACY POLICY
 
If we change this Privacy Policy, we will publish its updated version on our Website and in the App, besides, you will be additionally informed about the most important changes via e-mail and/or otherwise. The latest changes to the Privacy Policy were made and are valid from 23 May 2022.