Privacy Policy

At UbiRider we are committed to improving your mobility by providing a service that aims to make urban mobility smarter. However, we are also concerned with protecting the privacy and personal data of the users of our digital platforms.

In this context, in compliance with the principle of transparency, we have created this Privacy Policy, which is an integral part of and should be read in conjunction with the "Terms and conditions of use" (available here). We hope to help you understand how your data is processed, for what purposes, for how long, to whom it is transmitted to and under what security measures.

The data processing described in this Policy applies all our digital platforms, including UbiRider's website and mobile application PICK. When accessing these platforms, you may be asked to provide some personal information, whenever necessary to provide a service, when you give express and unequivocal consent for this purpose, or when required by any legal obligation.

‍

1. Who is responsible for the collection and treatment of your personal data?

UbiRider S.A., with Tax Identification Number (NIPC) 514908688, with headquarters at Alfredo Allen, no. 455/461, room 1.03, Paranhos, 4200-135, Porto, Portugal is the entity responsible for processing the personal data collected through user activity. As such, the personal data you provide here will always be managed by this company, as the data controller and responsible for processing, in accordance with Regulation (EU) 2016/679 of the European Parliament and the Council, dated April 27, 2016 - hereinafter referred to as GDPR.

However, in providing its services, UbiRider may share your personal data with various mobility operators or payment services provider partners, who, in certain situations, may act as subcontractors, joint controllers, or independent controllers. In the case of joint responsibility, agreements are made between the parties concerning data protection, which transparently define the responsibilities for complying with the applicable legislation.​

‍

2. What personal data will be requested?

When using our digital platforms, we will request the personal data necessary to provide our service, as well as some that will allow us to personalise and enhance your user experience, particularly within our app. The latter will be collected based on your express and unequivocal consent.

In any case, no more information will be collected than what is necessary for the stated purposes, enabling us to offer the best travel options by aligning your needs with those of the operators.

Depending on the means, form, and purpose for which the data is used we may request the following personal data when you visit and use our platform or whenyou register:

1. Master data, such as your name, gender, date of birth, and tax identification number;
2. Contact information, such as your address, email address and phone number;
3. Travel and booking information, such as the number of passengers, booking details, travel itinerary, scheduled trips, and travel history;
4. Geolocation data, which will only be accessed with your prior consent;
5. Browsing data or preferences, such as browsing history, visited content, time spent on each content, date and time of access, and method of access (mobile device, computer, etc.);
6. Information collected through the social network from which you logged in, which may include your name, gender and profile picture;
7. Payment data, such as the payment method used and the necessary details to conclude the transaction, depending on the payment method you select, in cases where the ticket is purchased directly from UbiRider through its payment service partners.

Finally, UbiRider will also use your personal data in an anonymised and aggregated manner to transmit information related to the commercial preferences of service users to its partners.

Additionally, when applicable, in cases where UbiRider directly sells services provided by its partners to platform users, UbiRider may transfers payment-related information to the respective service providers.

‍

3. For what purpose do we request and process this data?

The personal data collected, regardless of the platform through which was provided, will be used exclusively for the provision of our services and for the following purposes:

1. 1. Within the scope of contract execution and pre-contractual measures (Article 6, para. 1, point b) of GDPR):
   • a) To provide the service, specifically to present the best travel options with mobility operators, based on criteria selected by the user (e.g.: fastest, cheapest, etc.);
   • b) To issue tickets, manage payments, issue and send invoices;
   • Management of complaints and suggestions that may arise from eventual flaws in the service provided.
   2. With your consent (article 6, no. 1, paragraph a) of the GDPR):
   • Geolocation data;
   • Contact information for marketing purposes to non-customers;
   • Contact information for sending our newsletters.
   3. For the prosecution of UbiRider, S.A.’s legitimate interests (article 6, no. 1, paragraph f) of the GDPR):
   • Fraud prevention and detection;
   • Customer relationship management, in order to understand how our platforms are used by our visitors and therefore optimizing the service provided;
   • Direct marketing actions, to our well-known customers, offering each one bespoke services and meeting their needs in order to refine the relationship with those clients.

‍

4. When do we request access to your data?

UbiRider collects your personal data only when absolutely necessary for the exclusive compliance of the legitimate purposes herein laid down, with all security measures required for the data processed. UbiRider will not use the data collected for other purposes than those aforementioned. UbiRider will request access to your data when you access our platforms, when you register at our app, when you fill questionnaires at our website or app and, finally, when you purchase our services.

The moment when we collect your personal data will vary according to several circumstances. We may collect your data:

4.1 When you create a user's account

To create a user’s account and profile, it is necessary to collect some personal data, whether you do it directly at our mobile platform or through a third party social network which you registered with.

4.2 When you use our services

We may collect personal data on your access and your use of our services, such as location, search history, travel information, IP address and future booked trips. Whenever UbiRider is responsible for issuing the transportation title, we will also collect payment data, namely, the payment method and all connected data required to conclude the purchase according to the payment method chosen.

Your data thus collected will not be processed for other purposes than those mentioned or, to purposes not compatible with the purposes for which the personal data are initially collected. UbiRider commits to the safety of the processing activities and to the privacy of each user’s data.

4.3 Suggestions and Complaints

If you contact us to send suggestions or complaints, it will be necessary to collect some of your personal data so we can communicate with you and solve the issue.

Regardless of the subject, we will have to keep your identification information and contact information in our database, so we can answer your complaint/suggestion.

However, if for the purpose of addressing your complaint/suggestion, a clarification with a mobility operator provider is deemed necessary, your data will be transferred to this third party.

4.4 Sending of newsletters

You can register to receive our newsletter at our website. In this case, and if you give your specific and unambiguous consent, your email will be processed for this purpose.

4.5 Issuance of invoice or of other fiscal document

Your Tax ID Number may be required to comply with legal requirements (e.g., invoicing) and will be processed by Ubirider or the mobility service provider according to the agreement between the parties and the responsibility for invoicing.

​Whatever the case is, the user will always be entitled to request an invoice with Tax ID Number.

‍

5. With whom do we share your personal data?

Your data will be kept by UbiRider, acting as a Controller.

However, in certain circumstances, and in order to provide our services, we have to share your personal data with the mobility services providers we work with or with the payment services providers.

Mobility services providers act as Controllers themselves so you should visit and read their own privacy policies. If UbiRider and one of these providers become Joint Controllers for any or some of the processing activities, a written agreement will be concluded between the parties reflecting, in a transparent manner, the purposes and means of the processing of your data, as well as the responsibilities of each party in the conservation of the data processed, always in compliance with data protection legislation in place.

The payment services providers act as Processors and guarantee full compliance with the laws and regulations related to Data Protection and Privacy.

You can confer all mobility operators to which UbiRider, S.A. may transmit your personal data and access the privacy policy of each one of them here (Fertagus, Trevo, Próximo).

Likewise, whenever the ticket is purchased directly from Ubirider the provision of our services implies transferring your data to the payment services providers.

You may consult the list of payment services providers Ubirider may transfer your personal data and access their own privacy policies here: Viva Wallet.

Besides the above mentioned cases, UbiRider may also resort to services provided by other companies, which may entail, at least partially, the treatment of your personal data. However, these entities will be judiciously selected by UbiRider. UbiRider commits to only work with entities that comply with the data protection laws and that offer, at least, the same level of protection that Ubirider does.

Finally, UbiRider may be required to share your personal data with other entities in order to comply with legal obligations.

​

6. Where is my personal data stored?

The personal data that you provide UbiRider with will be stored at servers located within the European Union. If necessary, and according to the terms of the services agreed upon, the processors may transfer your data to servers located in third countries, that offer the same level of protection, as that in force in EU member-state entities or that demonstrate an adequate level of protection.

UbiRider uses Amazon Web Services EMEA SARL (AWS) services, based at 38 Avenue John F. Kennedy, L-1855, Luxembourg and Google Cloud EMEA Limited services, based at Clanwilliam Place, Dublin 2, Ireland, specifically Firebase services.

The data transferred to these processors, taking into account UbiRider's headquarters, will be, by default, stored on servers located in the European Economic Area. Such data shall be subject to adequate security measures, under the terms of the agreements for the processing of personal data proposed by these services providers which, by contracting the services, UbiRider has accepted.

Furthermore, if necessary, AWS may occasionally and temporarily transfer this data to a third country. Google Firebase services reserves the right to carry out such transfers without justification. The selection of the recipient countries, in accordance with the commitments made in their respective policies, terms and agreements, will always be carefully considered and will fall upon countries that offer adequate guarantees for the processing of this personal data.

Without prejudice, both offer alternative mechanisms to provide adequate safeguards, namely the standard contractual clauses applicable to the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, adopted as an annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

If you want to know more, please consult the following documents:

Regarding Google Firebase Services:

• https://cloud.google.com/terms/google-entity
• https://firebase.google.com/terms/
• https://firebase.google.com/terms/billing
• https://firebase.google.com/support/privacy
• https://firebase.google.com/terms/data-processing-terms
• https://cloud.google.com/terms/data-processing-addendum
• https://firebase.google.com/terms/firebase-sccs-eu-c2p

Regarding Amazon's AWS services:

• https://d1.awsstatic.com/legal/aws-customer-agreement/AWS_Customer_Agreement_Portuguese_Translation.pdf
• https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
• https://d1.awsstatic.com/Controller_to_Processor_SCCs.pdf

​

7. How long do we store your personal data?

UbiRider, S.A. will retain your personal for as long as necessary for the purposes mentioned or, where applicable, for the period required by law. Retention periods vary depending on the type of data processed and its purposes, and are defined on a case-by-case basis.

As soon as the reason for collecting the data ceases, if the data is no longer necessary for the establishment, exercise or the defense of legal claims and there is no legal obligation to keep the data, the data will be anonymised or deleted in a secure manner.

​​

8. Are your data processed securely?

UbiRider is concerned with the security of the personal data it processes and implements appropriate technical, organisational, and administrative security measures to protect the data stored, including against loss, misuse, unauthorised access, disclosure, alteration, and destruction.

Once the purpose that justified the collection of your date ceases to apply, and provided the data is no longer necessary for the defence of any legal right of UbiRider or a third party, or if there is no legal obligation to retain the data, your data will be securely deleted or anonymised.

‍

9. Do we use cookies? What are they and how do we use them?

Cookies are small files or pieces of software that are stored on the user’s device through the browser used, collecting information about how each digital platform is utilised. There are different types of cookies, some that are more intrusive than others, depending how much information they collect, how widely they disclose it, and how persistent they are, based on the duration of their stay on the user's device.

Indeed, like many other operators, we use cookies to improve the performance of our website and enhance your browsing experience, either by speeding up the website's response to your interactions or by not requiring you to repeatedly entering your information - such as user details. Specifically, we use cookies for the following purposes:

a. Remembering some of the information that you provide so that you don't have to re-enter it, including communication exchanges, sending newsletters or recalling your registration details;

b. Ensuring the proper functioning of our website and improving your browsing experience;

c. Identifying how you access our website;

d. Identifying the geographic location from which the access to our website originates;

e. Retaining user browsing preferences so that we can understand, in an aggregated manner, which content, services, and features generate the most interest.

The following table contains the list of cookies we use on our platform:

‍

We use third-party cookies, such as the Google Analytics service, because it allows us to understand and track the behaviour of our users. This service, provided by Google, helps us gather information and assess user activity on this platform, improving the overall user experience. Specifically, it helps us gather details like the number of times a user visits our platforms, the duration of the visits or the pages from which the accesses are made.

For more information on how to configure these cookies, we suggest you consult the following page: Google Analytics Cookies

In accordance with applicable legislation, we provide information on how you can configure your browser in relation to cookies. For this purpose, you should consult the official support pages of major browsers or follow these links to modify your browser preferences:

Chrome:https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=en

Firefox:https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website

Internet Explorer:https://support.microsoft.com/pt-pt/help/17442/windows-internet-explorer-delete-manage-cookies

Safari:https://support.apple.com/en-gb/guide/safari/manage-cookies-and-website

Additionally, some browsers also offer "DNT" (Do Not Track) tools. You can also manage your cookies preferences through the following link: Your Online Choices.

Finally, to improve our services, third-party tools/plugins such as Facebook, Instagram or Twitter may also be used. These plugins allow the user's browser to establish a direct with the respective social networks, providing access to sharing and additional content. However, since UbiRider does not control or influence the content of the social networks plugins, to obtain more information on the extent of personal data collection and processing through these plugins, you should refer to privacy policy of the third parties in question.

‍

10. What are your rights?

As a data subject, you have the right to request information about your personal data at any time, reasonably and free of charge, to understand what UbiRider retains or knows about you. Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

a) Right of Access: You have the right to request confirmation as to whether or not we are processing your personal data. If we are processing it, you can ask request access to that data, including information on the purposes of processing, the categories of data being processed, and the recipients of the data.

b) Right to Rectification: You have the right to request the correction of any inaccurate or incomplete personal data we hold about you.

c) Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, if you withdraw your consent, or if the data has been processed unlawfully.

d) Right to Restriction of Processing: You can request that we restrict the processing of your personal data in the following situations:

• a) If you contest the accuracy of the data;
• b) If the processing is unlawful but you oppose erasure;
• c) If we no longer need the data for processing purposes, but you require it for legal claims;
• d) If you object to processing based on our legitimate interests, pending verification of whether our legitimate grounds for processing override your rights and freedom.

e) Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller, where technically feasible.

f) Right to Object: You can object to the processing of your personal data based on our legitimate interests or those of a third party, unless we can demonstrate compelling legitimate grounds for processing that override your rights and freedoms.

g) Right to Withdraw Consent: If the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

h) Right to Lodge a Complaint: If you believe that your rights under data protection law have been violated, you have the right to lodge a complaint with the relevant supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (National Data Protection Commission - CNPD), through the following contact details:

Address: Rua de São Bento, 148 - 3º, 1200-821 Lisboa

Phone Nº: +351 213 928 400

Fax: +351 213 976 832

Email: geral@cnpd.pt

Website: https://www.cnpd.pt/.

The rights of access, rectification, erasure, objection, restriction of processing, and data portability, in accordance with the EU General Data Protection Regulation (GDPR), can be exercised by updating your profile in the personal area of our mobile platform or by contacting us via email at dpo@ubirider.com.

However, the deletion of your user account and the revocation of your consent(s) on our mobile platform will only take effect on that platform and will not be effective regarding other registrations or consents provided on our website, and vice versa.

All request will be analysed within a reasonable time frame, to which UbiRider will respond promptly, and, where possible, within a maximum period of 30 days.

​

11. Changes to the Privacy Policy

This Privacy Policy may be amended or adjusted at any time, whenever deemed necessary. Therefore, although such changes will be dully publicised, we recommend that you regularly visit this page and review the most up-to-date version.

​Last update: November 6th 2024

© UbiRider, all rights reserved 2024