Spotiz Privacy Policy

 

 

Spotiz and the User agree that capitalized terms shall have priority over the definition given to them in this Privacy Policy or, failing that, in the General Terms and Conditions accessible on the app (hereinafter the « Terms and Conditions of Spotiz Services »).

 

Last update: November 10, 2021

 

 

Thank you for sharing your personal information with us. At Spotiz, we care about the security of your data and are committed to providing you with clear and transparent information about how we collect, use and share your data when you browse our website at https://spotiz.com (« Website »), use our mobile application (« App ») and when you interact with us in other ways. We process your data in accordance with the requirements set out in the General Data Protection Regulation (« GDPR »), as well as the Data Protection Act 2018 for the UK and other applicable data protection legislation.

 

This Privacy Policy tells you what personal data we collect from you, why, how, how we keep it secure, with whom we share it and your rights regarding it. We recommend that you read it in conjunction with our Terms and Conditions, which set forth the terms and conditions governing the services provided.

 

We update our Privacy Policy regularly, so we encourage you to review it regularly via the App or our Website. If we make changes to this Privacy Policy, the updated version will be available via our App and Website. If we make material changes to this Privacy Policy, we will provide a prominent notice and may also contact you directly by email or other means.

 

Our Services are not intended for children under the age of 18 or any other age limit applicable in your jurisdiction and we do not knowingly collect data relating to children. 

 

 

Who are we?


This Privacy Policy is issued on behalf of the Spotiz SA group, which consists of several different legal entities located throughout Europe. Although the different entities may, from time to time, act as Joint Controllers of your personal data, all Spotiz SA group companies have decided that Spotiz France, a société par actions simplifiée, with registered office at 10 rue German Pilon 75018 Paris – France, registered under number 904 871 209 RCS Paris, is the main controller and the entity responsible for all processing of personal data described in this policy.

If you have any questions about this policy, including questions about your rights under the Data Protection Act, please contact our Delegate at the following address: [email protected]. When we refer to « spotiz« , « we » or « our » in this Privacy Policy, we are referring to our entire group of companies.

 

What data do we collect about you?

 

 

We may collect, use, store and transfer various types of personal data about you (i.e. any information that directly or indirectly identifies you) which we have grouped as follows:

  • Identity and Contact Information: This includes your first name, last name, user name and password, date of birth and gender (if required by law), proof of identity such as an ID card, passport or driver’s license (if required by law), a real-time selfie (where required by the city), billing address, shipping address, email address, telephone numbers, personal license plate and other similar identifiers.
  • Financial and Transactional Data: This includes certain bank account and payment card information as well as any information regarding payments you have made and any other information related to services you have purchased from us and other similar information. Please note that we do not store your complete payment card information. This information is stored by our approved third party payment processor Stripe Inc. via its Stripe Connect service. For more information, you can refer to our
  • Technical and Usage Data: This includes information about how you use our Website, our Application, including your travel and location history, telemetry data (including speed, route selection, your IP (Internet Protocol) address, login data, type and version of browser used, time zone settings, types and versions of browser plug-ins, operating system and platform, and any other similar technological identifiers on the devices you use to access the Website and the Application
  • Profile Data: this includes purchases you have made, your interests, marketing and communication preferences, your comments and responses to any surveys, and any other similar data you provide to us.
  • User and potential user content includes information you submit when you contact our customer service department, or that we collect with your consent when you participate in our user research program or events we host. This may include comments, photographs, video or audio recordings.
  • Social inclusion program data includes, for the UK, information about any of the following: valid HC2 certificate, DID card or disability railcard; your status as an NHS or emergency services worker or higher education student.

We also process Aggregate Data, such as statistical or demographic data, for any purpose. We may obtain Aggregate Data from your Personal Data, but it is not considered Aggregate Data under the law because it does not reveal your identity, either directly or indirectly. For example, we may aggregate your Technical and Usage Data to calculate the percentage of users using a particular feature of the Website or Application. Because such data is not regulated, its processing is not subject to this Privacy Policy.

 

If you do not provide us with your personal data

 

 

In the event that we need to collect your personal data under our Terms and Conditions and you do not provide us with the requested data, we may not be able to perform the contract we have entered into or are attempting to enter into with you. In this case, we may not be able to allow you to use the Application, as this information is necessary for the use of our services.

 

 

How is your personal data collected?

 

 

Direct interactions. You may provide us with Identity and Contact Information and Financial and Transactional Data by filling out forms or by interacting with us. This includes Personal Data that you provide to us when you:

  • browse our Website;
  • use our Application;
  • request marketing communications to be sent to you;
  • enter a contest, take advantage of a promotion or complete a survey; or
  • give us feedback or contact us.

 

Automated technologies or interactions. When you interact with our Website and the App, we automatically collect Technical and Usage Data about your browsing, device and route. We collect such Personal Data using telemetry sensors, cookies exclusively through Google Analytics, local storage and other technologies, whether proprietary or provided by third parties. 

 

 

How do we use your personal data?

 

Below you will find a description of all the ways in which we intend to use your personal data and the legal bases on which we will rely for these purposes. Where applicable, we have also indicated our legitimate interests.

 

 

Purpose/Activity

Type of data

Legal basis for processing, including our legitimate interest

OPERATIONS

Register you as a new customer, provide you with our services and manage payments, fees and charges.

Data related to your identity and contact information

Financial and transactional data

Technical and Usage Data

Social and Inclusion Programs Data

Processing necessary for the performance of a contract with you (provision of our services)

Processing necessary to comply with a legal obligation (e.g. verifying that you are over 18 years of age or that you hold a valid driver’s license)

 

To manage our relationship with you, which includes notifying you of any changes or updates to our services, terms of use or privacy policy, responding to any requests from you, and other similar activities.

Data related to your identity and contact information

User content and potential user

Depending on your request, we may need to process other relevant personal data

Processing necessary for the performance of a contract with you (provision of our services)

or

Processing necessary for our legitimate interests (maintaining a good relationship with our customers)

 

Cooperate with our insurers and brokers, which includes verifying your identity and providing said data to our insurers and brokers.

Data related to your identity and contact information

Financial and transactional data

Technical and Usage Data

Processing necessary for the performance of a contract with you (ensuring that you are insured during your travels)

and

Processing necessary for the purposes of our legitimate interests (providing information to our insurers for the purposes of dealing with any claims, i.e. for the purposes of managing our business)

and

Processing necessary to comply with a legal obligation (the law may require us to provide our services).

 

To obtain your feedback on our services through satisfaction surveys and/or other similar activities conducted via the app or email.

Data related to your identity and contact information

User content and potential user

Processing necessary for our legitimate interests (to improve our services based on your feedback).

ADMINISTRATION

To manage and protect our business, Application, and Website, which includes troubleshooting, analyzing data, testing, reporting, hosting data, responding to law enforcement requests, serving the needs of our professional advisors, and any other similar activities. This includes collecting and recovering monies owed to us.

Data related to your identity and contact information

Financial and transactional data

Technical and Usage Data

Profile data

Processing necessary for the purposes of our legitimate interests (managing our business, ensuring reliable IT services and network security, preventing fraud, collecting debts, restructuring our business or group)

and

Processing necessary to comply with a legal obligation (e.g. record keeping obligations).

ANALYSIS

To use data analytics for the purpose of improving our Website, Application, marketing efforts, customer relations, customer experience and similar activities. This includes sharing personal data with third parties providing analytics services.

Technical and usage data

Profile data

Processing necessary for the purposes of our legitimate interests (studying how our customers use our Application and Website, developing, maintaining and improving our offering and ensuring that it is lawful, safe and reliable).

If the law requires us to rely on your consent for this type of processing, we will ask you to consent to the processing for analytical purposes.

ADVERTISING

To provide you with relevant content and advertisements on the Website and the Application, including suggestions and recommendations for products or services that may be of interest to you, to evaluate or understand the effectiveness of the advertisements we provide to you, and any other similar activities. This includes sharing personal data with our advertising partners.

Data related to your identity and contact information

Technical and usage data

Profile data

Processing necessary for the purposes of our legitimate interests (defining and identifying current and future customer types for our offerings, developing our marketing strategy accordingly and developing our business)

If the law requires us to rely on your consent for this type of processing, we will ask you to consent to the processing for advertising purposes.

PROSPECTION

To enable you to take advantage of our product promotions and discounts, to promote our services more generally, and for other similar activities. This includes sharing personal data with our business partners.

Data related to your identity and contact information

Technical and usage data

Profile data

Processing necessary for our legitimate interests (to promote our services).

If the law requires us to rely on your consent for this type of processing, we will ask you to consent to the processing for marketing purposes.

 

Disclosure of your personal data

 

Our suppliers

We use various suppliers to provide, develop and promote our services. We may share some of your personal data with such vendors for the purposes set forth in the table above. We use these vendors to process payments, store data in the cloud, provide our services, perform data analysis, provide customer service, and perform advertising and marketing activities.

All of our suppliers warrant that they comply with the General Data Protection Regulation (EU) 2016/679 and have entered into data processing contracts with us. We require all third parties to respect the security of your personal data and to process it in accordance with applicable law. We do not allow our third-party service providers to use your personal data for their own purposes (unless it is necessary for the provision of their services, in which case you will be expressly informed) and only allow them to process your personal data for specific purposes and in accordance with our instructions.

 

Transactions within the company

We will share your personal data with other companies in our group.

We may also share your personal data with third parties to whom we may sell or transfer part of our business or assets, or with whom we may decide to merge. In addition, we may seek to acquire or merge with other companies. If such a change in our business occurs, the new owners may use your personal information.

 

Professional counselors and law enforcement

We may disclose your personal information to law enforcement or regulatory agencies in connection with any proceeding or investigation where we are required to do so. We may disclose your personal information to our professional advisors, who are usually licensed by a competent authority (legal representatives, accountants, etc.), if necessary. We may also disclose your personal information to our insurance providers when necessary to process any insurance claim related to your use of our Application.

 

Local authorities

Local authorities require us to share certain information about our Users as a condition of operating in the cities they govern. This exchange is automatic and complies with the Open Mobility Foundation‘s data exchange protocols. All local authorities have guaranteed that they comply with the General Data Protection Regulation (EU) 2016/679 and have signed data sharing agreements with us.

 

 

Cookies

Most often, cookies are used by third parties and this usually involves the disclosure of Technical and Usage Data, which is often anonymized. Please use our cookie banner to accept or decline all non-essential cookies. To learn more about the cookies we use, please refer to the Website at: https://spotiz.com/cookies/.

 

 

International transfers

Many of the third parties with whom we do business are located outside the European Economic Area (EEA) and therefore their processing of your personal data involves a transfer of data outside the EEA. Where we transfer your personal data outside the EEA, we ensure that a similar level of protection is provided by ensuring that we have in place at least one of the following measures:

Please contact us if you would like to learn more about the specific mechanism we use when transferring your personal data outside the EEA. 

 

 

Data security

 

We have appropriate security measures in place to protect your personal information from accidental loss, unauthorized use or access, alteration or disclosure. In addition, we restrict access to your personal data to our employees, agents, contractors and other third parties who need to know your personal data in order to perform their duties. They will only process your personal data on our instructions and are subject to an obligation of confidentiality.

We have procedures in place to deal with any suspected breach of personal data, and we will notify you and any relevant regulatory body of any breach if we are legally required to do so.

 

 

Data retention

 

 

How long do we use your personal data?

We retain your personal data only for as long as is reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of complying with any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period of time in the event of a claim or if we reasonably believe that litigation is likely to arise in connection with our relationship with you. In determining the appropriate retention period for personal data, we take into account the amount, nature and sensitivity of the data in question, the risks of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data, whether we can fulfill those purposes by other means, and applicable legal, regulatory, tax, accounting and other requirements.

In certain situations, we will irreversibly anonymize your personal data (so that it is no longer personally identifiable) for research and statistical purposes, in which case this policy will cease to apply, and we may use such data indefinitely, without further notice.

Please note that we are legally required to retain basic information about our customers for seven years after they cease to be customers for tax purposes.

 

Automated decision making

We use automated decision making, including the use of profiling, when performing age verification. Age verifications are only requested when required by cities, and if so, you will be prompted to perform them on your screen. Our system will check the information on your ID (this can also be a passport or driver’s license) to verify your date of birth and its validity, while comparing the photo on your ID with the actual photo you submit. Together, they will determine if it is the same person in the photo as on the ID.

We also use automated decision making for fraud detection. Our systems will identify any transaction or profile that is deemed suspicious based on the data we have and, based on that information, take a specific approach, such as authorizing a payment, requesting verification of certain data, or blocking a payment or account.

If you wish to object to this automatic decision making, please contact [email protected]

 

Blacklisting
Spotiz may blacklist an account or payment method when it determines that fraudulent activity is associated with it. Accounts and payment methods that have been blacklisted are kept on file to prevent future fraudulent transactions. This list is not shared with third parties and is for internal use only. The purpose of this activity is to prevent fraudulent transactions and protect our users. If you would like to know more about this, please contact [email protected].

 

Your legal rights

Spotiz is committed to respecting the legal rights of its customers with respect to data protection. If you send us a request concerning your rights under data protection law, we will respond within one month from the date of receipt and will try to comply with the request within the same period. If necessary, this period may be extended by up to two months if the request is complex. Please contact [email protected] to exercise the following rights in relation to the personal information that spotiz processes about you:

 

Right to be informed

Right of access (to said information)

Right of rectification

You have the right to know more about how we handle your personal data. For more information on this subject, please feel free to browse our privacy policy. We are also available at [email protected] if you have any questions.

You have the right to request a copy of the personal data we hold about you. This request may be specific (for example, your travel history) or general. If you wish to exercise this right, please contact [email protected].

You have the right to rectify your information and to amend or update it where the data is incorrect or has changed. It is important that the personal data we hold about you is accurate and up to date. We therefore ask you to inform us if your personal data changes during your relationship with us.

If you wish to exercise this right, please contact [email protected].

Right of deletion

Right to limit processing

The right to object to automated decision making, including profiling

You have the right to request the deletion of your personal information. If you wish to exercise this right, please send an email to [email protected]. Please bear in mind that in certain circumstances we may not be able to comply with your request because legal requirements oblige us to retain your data for a specific period of time. If this is the case, we will inform you of the reason.

You have the right to object to our processing of your data. If you wish to exercise this right, please contact [email protected].

Spotiz performs automated decision making when performing age verification checks. If you wish to object to this type of processing, please contact [email protected].

Right to data portability

Right to complain to the data protection authority

Right to withdraw your consent

You have the right to request that your data be transferred to another organization or that you be provided with an easy-to-read copy for transfer to another organization. If you wish to exercise this right, please contact [email protected].

If you wish to file a complaint with the competent data protection authority, you can find the website at

https://edpb.europa.eu/about-edpb/about-edpb/members_fr

Thank you for giving us the opportunity to address your concerns before you inform your local authority. Please contact us first by sending an email to [email protected].

In cases where we have relied on consent to process your data, you have the right to withdraw that consent. If you wish to exercise this right, please contact [email protected].

If you send us a request concerning one of these rights, we will respond within one month from the day of receipt and, as far as possible, we will do our best to deal with your request within this period. If necessary, this period may be extended by a further two months in complex cases (we will inform you if this is the case).

 

For full information on your mandatory rights, please consult the webpage of the data protection authority in your country of residence:

  • For users in Switzerland, here.
  • For users from the European Economic Area, you can find your PAD here.
  • For users in the UK, you can contact the Information Commissioner’s Office here.

If you have any concerns, we would like to have the opportunity to respond before you contact the appropriate local authorities. Therefore, please contact us first by sending an e-mail to [email protected].