We receive almost all of your personal data from you: when you download the App, create an Account, use the App, the Account, Services and in other cases, also as explained in more detail in Chapter III of this Privacy Policy.

Data we receive from you indirectly under a legitimate basis (the list is non-exhaustive):

The Company has involved various service providers (e.g. providers of server hosting, data centres, cloud computing, support, IT, identity verification, document validity verification, intermediation, payments, audit, accounting, legal, tax advisory services, administration of damages, debt collection, analytics, direct marketing, e-mail, SMS messaging, customer service, call centre and other services).

Data processors we use are usually located in the Member States of the European Union or store data entrusted to them by the Company in the European Union. Only a few carefully selected data processors (such as Google, Apps Flyer, CleverTap) process data outside the European Union. In addition, when we manage our social media accounts, we receive and provide data to social network platform operators (e.g. LinkedIn, Facebook, Google), which also operate outside the European Union, e.g. in the USA. We closely follow practices of data protection supervisory authorities and the guidelines on the transfer of data outside the European Union, and we diligently consider conditions, under which data are transferred and may be subsequently processed and stored after the transfer outside the European Union. To ensure an adequate level of security of data and to guarantee legitimate transfer of data, we conclude Standard Contractual Clauses approved by the European Commission for data transfer outside the European Economic Area (EEA) or follow other grounds and conditions set out in the GDPR.

We use cloud computing solutions (e.g. Microsoft Azure) for data processing. Servers / storage facilities for the cloud computing solutions used are located and operate in the Member States of the European Union. Microsoft Azure database data are stored in data centres located in the EEA Member States (see more at https://azure.microsoft.com/en-us/global-infrastructure/geographies/).

Data processors can process your personal data only according to our instructions. Besides, they must ensure security of your data in accordance with applicable legal acts and agreements concluded with us.

If necessary and legally justified, we also provide your data to service providers that are separate data controllers, also to competent authorities, institutions, organisations, also other data controllers who are entitled to receive information in accordance with applicable legal acts and/or our legitimate interests (Article 6(1)(b) of the GDPR, Article 6(1)(a) of the GDPR, Article 6(1)(c) of the GDPR, Article 6(1)(e) of the GDPR, Article 6(1)(f) of the GDPR) (the list is non-exhaustive):

 

Personal data specified in this Privacy Policy shall be stored and otherwise processed for no longer than the period specified in Chapter III of this Privacy Policy for each relevant data category and for no longer than necessary to achieve the purposes for which the data were collected.

In those cases when the data storage period is not indicated in this Privacy Policy, your data will be stored no longer than necessary for achievement of the purposes, for which the data were collected, or for a period set by legal acts.

After the end of your data processing and storage period set in this Privacy Policy, we destroy your data or anonymise them irreversibly and reliably as soon as possible, within a period reasonably necessary for performance of such an action.

If different processing or storage periods can be applied to the same data category for different purposes in accordance with this Privacy Policy, the longest of the applicable periods shall apply.

your personal data can be stored for a period longer than indicated in this Privacy Policy only when:

You, as a data subject, have rights under the GDPR, including the right:

You can submit your request for the exercise of your rights (as far as your Account is concerned) to us in the following ways:

If you are our customer, you can download an automatically generated copy of personal data related to your Account (i.e. data indicated in paragraphs 3.1–3.3 of the Privacy Policy) by logging to your Account in the Self-service at https://selfservice.citybee.lv/. After you log in to your Account in the Self-service at https://selfservice.citybee.lv/, select you email address at the right on the top and then click “Get my data in CityBee”.

If you do not have an Account any longer, write us at dpo@citybee.lv and we will send you an e-mail at your e-mail address, which you have previously indicated when registering in the Account, with information on how you can receive an automatically generated copy of your Account related personal data.

In case of changes in data presented by you to us (surname, e-mail address, telephone number), change of driving license data (you changed or updated your driving license) or in case you think that the information processed by us about you is inaccurate or incorrect, you have the right to demand to modify, amend or correct such information.

In case where we process your data on the basis of your consent, you have the right to withdraw your consent at any time and data processing based on your consent will stop.

For example, you can withdraw your consent to receive offers and information at any time. The withdrawal of these consents will not prevent you from continuing to use our Services, but this will mean that we will not be able to give offers that may be useful to you.

You have the right to withdraw consent at any time in the following ways:

 

You can opt out of push notifications:

 

You have the right to object to personal data processing, when personal data is processed based on our legitimate interests. In the event that we send you general offers and information on the basis of our legitimate interest, you have the right to opt out of general offers at any time:

 

You can opt out of push notifications in the App:

 

When there are certain circumstances indicated in legal acts on personal data protection (e.g. when the basis for data processing has disappeared, etc.), you have the right to request that we erase your personal data. In order to exercise this right, please contact us in the ways indicated in paragraph 7.1 of the Privacy Policy.

We will treat your request to erase all your data as a request to terminate the Services Agreement, which shall be terminated in accordance with the Terms.

A request to erase some of the data of yours can result in suspension or termination of the Services Agreement or that we will not be able to provide all the Services to you. For example, if the driving license is removed at your request, you will be able to order and use only those Services which do not require a valid driving license. Your request to erase or change some of your data (for example, adding new payment card, removing payment card from payment methods, etc.) may result in this data no longer appearing in your Account, although we will have the right to further process such data on the grounds set out below in this section.

If you provide us with the request to erase all or some of your data and express your wish “to be forgotten”, we will no longer process those data of yours which will no longer be necessary for the purposes for which they were collected or otherwise processed. After you have exercised the right “to be forgotten”, your personal data will be further processed for the following main purposes and on the following main grounds (the list is non-exhaustive):

When there are certain circumstances indicated in personal data protection legal acts (when personal data is processed unlawfully, when you challenge data accuracy, you stated an objection to data processing on the basis of our legitimate interest, etc.), you also have the right to restrict your data processing.

However, we must point out that, because of the restriction of data processing and during the period of such restriction, we may be unable to guarantee you all the Services, which may lead to the suspension or termination of the Services Agreement or that we will be unable to provide you with some Services. For example, if the driving license is removed at your request, you will be able to order and use only those Services which do not require a valid driving license.

You can download an automatically generated copy of personal data related to the Account by logging into your Account in the Self-service. If you do not have an Account any longer, write us at dpo@citybee.lv and we will send you an e-mail at your e-mail address, which you have previously indicated when registering in the Account, with information on how you can receive an automatically generated copy of your Account related personal data.

We will provide a data copy to you in a structured form in JSON electronic files or electronic files of another comparable format, which will enable you to move your data to another service provider.

In order to protect our customers’ data from illegal disclosure, upon receipt of your request to present data or implement other rights of yours, we will have to verify your identity. For identity verification, we, first of all, use the ways indicated in paragraph 7.1 of the Privacy Policy.

In those cases when you do not have an Account any more or there is no possibility to use the ways indicated in paragraph 7.1 of the Privacy Policy, in order to verify your identity, we may ask you to indicate relevant data of your Account (e.g. name, date of birth, e-mail address or telephone number). In performance of this verification, we may also send a control notification at the last contact that was in the Account (SMS or e-mail), asking to take an authorisation action, we may also request additional documents or data. If the verification procedure fails, we will be forced to state that you are not the data subject of the requested data and we will have to reject your request.

Upon receipt of your request regarding implementation of any right of yours and having successfully performed the above-indicated verification procedure, we undertake without undue delay, but in any case no later than within one month after receipt of your request and completion of the verification procedure, to give you information about actions we took with regard to your request. With regard to complexity and number of requests, we have the right to extent the period of one month for two more months, informing you about it before the end of the first month and indicating reasons for such an extension.

If your request is submitted electronically, we will give the answer to you electronically, too, unless it is impossible (e.g. due to a particularly large scope of information) or when you request to answer you in some other way.

We use appropriate organizational and technical personal data security measures, including protection against unauthorized or unlawful processing of data and against accidental loss, destruction or damage. Such measures have been selected taking into account the risks that may arise for your rights and freedoms as those of a data subject.

We strictly control access to your personal data, providing it only to those employees who need personal data for the performance of their work duties, and monitor how they use the access provided. Employees who have access to personal data shall be made aware of the personal data protection requirements and shall ensure the confidentiality of the personal data processed. We provide access to personal data with passwords of the required level and prepare agreements for the protection of confidential information with individuals or partners who are given access to your personal data.

We regularly monitor our systems for possible breaches or attacks, but it is not possible to guarantee full security of information transmitted online. With this in mind, you provide us with information by use of the internet connection via the App at your sole discretion and assuming any associated risks.

In order to ensure the security of customers’ data, we constantly assess and strengthen applicable security requirements. For example, in 2020, a global change of passwords used by customers was initiated as new requirements for the complexity of passwords were introduced. At the beginning of 2021, the Company refused passwords altogether and switched to customer identification using unique PIN codes or biometric data. Please note that if you allow the App to use the device functionality that allows recognizing a fingerprint or face image, we will not receive and will not process such data (we will only process the system confirmation from your device whether the device user login was successful).

The data controller that processes your personal data indicated in this Privacy Policy is:

 

In compliance with the requirements of the GDPR, we have appointed a Data Protection Officer who can be contacted on all issues concerning this Privacy Policy and all other matters relating to data processing by SIA “CityBee Latvija”.

Contact information of the Data Protection Officer:

Email: dpo@citybee.lv;

Phone: +371 272 65460.