Privacy Notices for Passengers in accordance with the EU General Data Protection Regulation (“GDPR“)
for Users of the MyCab Passenger App
Version: March 2020
The information provided below gives you an overview of our Processing of your Personal Data and your
rights pursuant to data protection regulations in connection with the usage of our app’s ride-hailing service
for passengers („MyCab Passenger App“).
Which Personal Data is processed is substantively determined based on the services or products you use.
Table of Contents
1. Information Regarding the Data Controller
3. Data Processing Processes and Purposes
4. Data Exchange within the MyCab Group
5. Provider of Processing Service and Processing Outside of European Economic Area Countries
6. Your Rights
7. Data Security
8. Data Storage
9. Updates and Changes
1 Information Regarding the Data Controller
For passengers the data controller for the territory of Romania as per Art. 4 No. 7 GDPR is:
M&M Express S.R.L. (“MyCab”)
Address: Calea București nr.102/C, Brașov
Phone: +4 0374 90 80 80
The data controller has a data protection officer. You can reach our data protection officer most easily by emailing: firstname.lastname@example.org or by writing to the foregoing address with the subject “For the attention of the Data Protection Officer”.
“Personal Data“ is all information which relates to an identified or identifiable natural person. This includes, e.g., items like the name, postal address, e-mail address or telephone number, but also usage data like your IP address.
“Processing“ is every process carried out with or without automated assistance or every sequence of such processes in connection with Personal Data, e.g. obtaining, capturing, organizing, ordering, saving, adjusting or modifying, sorting, accessing, using, disclosing by transmission, distributing or any other form of making available, comparing or connecting, limiting, deleting or destroying.
“Transportation Company” means any independent contractor or legal entity that legally owns / uses a transport license or authorization issued in accordance with the provisions of Law no, 38/2003 and/or Government Emergency Ordinance no. 49/2019, who has an user account on the MyCab platform created by means of a legal or conventional representative, and with whom MyCab has a direct contractual relationship for intermediation services offered by means of the MyCab platform. This definition shall also refer to those persons authorized to perform activities for which MyCab offers intermediation services, other than the transportation activities regulated within the legal framework mentioned above.
3 Data Processing Activities and Purposes
In the following, we will inform you about the various types of Personal Data we process and for what purpose. The MyCab Passenger App makes it possible for you to procure Journeys through us both with Taxis and with Private Hire Vehicles. For the use of our MyCab Passenger App for procurement of Journeys, you must provide Personal Data which we process in order to perform the respective service. If additional information can be voluntarily shared, these are indicated as being “optional“.
3.1 Journey Procurement
In connection with the procurement service pursuant to Art. 6 (1) b) GDPR, for the purpose of performing our procurement contract with you, and pursuant to Art. 6 (1) a) GDPR as it relates to optional information, the following Personal Data is processed:
For your registration and use of the MyCab Passenger App, we may ask from you and will process the following personal information about you:
First name, surname, e-mail address and mobile phone number (basic data) will be required for the registration on the MyCab Passenger App.
Furthermore, in the context of the procurement of Journeys, we will also process the following data: the time of the booking, the starting and destination coordinates of your Journey and information pertaining to your end user device (Device ID). The starting coordinates can be provided by you (i) manually by placing a pin on the map or, as it may be, inputting an address, or (ii) by transmitting your GPS coordinates. The legal basis for the Processing of your GPS location data is in Art. 6 (1) a) GDPR. The usage of your GPS location data by MyCab can be consented to upon installing the MyCab Passenger App. Via the operating system of your end user device (smartphone, tablet, etc.), you can also consent to the usage of your GPS coordinates by MyCab at a later point in time or withdraw your consent. In principle, Processing of your GPS coordinates only occurs if you are logged in and the MyCab Passenger App is an active app which is open and in use in the frontend.
Without Processing the foregoing Personal Data, we cannot procure a Journey for you with a Transportation Company. This does not apply inasmuch as it relates to optional disclosures.
Please note that the GPS coordinates of the vehicle you are using will be processed by MyCab during the trip, based on a legal obligation of MyCab and in accordance with art. 6 (1) c) GDPR.
Profile picture, workplace and home address are likewise optional disclosures and will only be collected and processed by us if you provide us with this information either at the time of registration or thereafter. We use your profile picture in order to identify you and to avoid fraud situations. To this end, the respective Driver who is carrying out your Journey will temporarily be shown your profile picture (see on this point also cl. 2.1).
The workplace and home address serve to make it easier to save standard routes used by you. The Processing of these voluntarily provided Personal Data occurs on the basis of your consent in accordance with Art. 6 (1) a) GDPR. If you no longer wish your optionally disclosed data to be processed, you can simply delete it from the MyCab Passenger App.
The respective Transportation Company and the Driver who carries out the Journey you have booked will receive your pickup location along with your name and, inasmuch as it is provided by you, your destination and your profile picture, which shall be used for identification purposes. An identification can also be carried out by the Driver asking you for your name before the beginning of the Journey. After a successful procurement of a Journey for you, the respective Driver can call you via the MyCab Passenger App. În the course of this, the mobile phone number you provided during registration will be shown. In this way, you can be informed regarding potential delays (e.g. traffic jams) by the Driver and, for example, details regarding the pickup location can be clarified. After ending the Journey, the Driver is no longer able to access your personal information in his MyCab Driver App.
The legal basis for the transmission of the pickup and destination locations as well as the name and mobile phone number to the respective Transportation Company is Art.6 (1) b) GDPR and, with respect to the optional information such as the profile picture or, as it may be, GPS data, Art. 6 (1) a) GDPR.
In addition to the above, you have the option to provide data on any specific condition you or any of the passengers may have (e.g. disability, reduced mobility) and to communicate with the driver that accepted your trip in order to ensure you adequate conditions for the transportation, to the highest extent possible. Processing of such data is performed by MyCab based on Art. 6 (1) a) GDPR, given that such data is provided by you on a voluntary basis, as well as based on Art. 6 (1) c) GDPR, namely in order to comply with a legal obligation.
3.1.2 Registration/Logging In via Facebook Connect
If you do not wish for your data to be processed as above, you cannot use the Facebook Connect function. If you have used Facebook Connect in the past, you can prevent the further Processing of your data aș saved with Facebook by us if you go to ‘settings’ in your Facebook account and delete the MyCab Passenger App from the ‘Apps and Websites’ category.
3.1.3 Registration/Logging In via Google Account
If you do not wish this, please do not use logging in or registration via Google account. The further Processing of your foregoing data which are saved in your Google account by us can be prevented by going to ‘security’ in your Google account and, there, selecting ‘third party apps with account access’, followed by the option ‘manage third party access’, whereupon the access rights of MyCab Passenger App can be removed.
3.1.4 Integration of Google Maps
3.1.5 Usage of the MyCab Match Function
If you use the MyCab Match Function, your name, profile picture (if you have provided one), starting location and destination location of your MyCab Match Journey will become visible to the other MyCab Match Passenger in his MyCab Passenger App and the same will be processed in accordance with Art. 6 (1) b) GDPR in order to perform the contract. The starting location and destination location will only contain the street name, but no house number. This Personal Data will no longer be visible to the other MyCab Match Passenger following the conclusion of the MyCab Match Journey. Without this transmission, MyCab Match cannot function. If you do not consent to this, we request that you do not use MyCab Match.
3.1.6 Business Account
Tours can also be undertaken and invoiced as trips undertaken for business purposes („Business Trips“) în accordance with the “Framework Conditions for MyCab Business Accounts“. If you are booking a Business Trip via the MyCab Passenger App, or if, after the conclusion of a Tour, you decide to pay for the Tour as a Business Trip via a Business Account, then the data relevant for the invoicing process accessed by MyCab occasioned by the use of the MyCab Passenger App (“Invoicing Data”) will be transmitted to the owner of the Business Account, who authorizes you for a Business Trip, for the purpose of handling and invoicing of the Tour. Invoicing Data include your first name and surname, e-mail address, the Tour price and the starting location and destination location of a Tour. The data will be transmitted to the extent that is necessary for the performance and invoicing of the costs of Business Trips pursuant to Art. 6 (1) b) GDPR to the owner of the Business Account.
If you use the Pay By App function, the following Personal Data will be processed by us on the basis of Art. 6 (1) b) GDPR for the purpose of performing the contract:
First name and surname, start location and destination location of your Journey, country, language, e-mail address, mobile phone number. If you have provided a credit card as a means of payment, the first name and surname of the credit card owner, the issuer of the credit card and the first six and last four digits of the credit card number and the expiration date of the credit card; in the case of PayPal, the e-mail address of your PayPal account and the information pertaining to your end user device (Device ID, etc.).
The payment data provided by you are, in the course of this, transmitted to our payment processors. We utilize multiple payment processors so that, in the event of one suffering an outage, we can continue to support the payment method offered by us.
If you use the offered payment methods via PayPal, the data necessary to carry out the processing of the payment will be transmitted to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter: „PayPal“). Further information regarding data Processing by PayPal can be found under: https://www.paypal.com/de/webapps/mpp/ua/privacy-full .
All payments service providers are PCI DSS certified (Payment Card Industry Data Security Standard). În providing your credit card data, these will be transmitted via an encrypted connection directly to the payments processor utilized by us. Our payments processor will subsequently carry out a so called authentication of your means of payment by reserving an amount (0.50 EUR) on your account. This ensures that your means of payment is an active means of payment. For security reasons, only the first six and the last four numbers of your credit card are transmitted to us which we save for the purposes of identification and record keeping.
3.2.1 Payment Service Directive
The new regulation on the Payment Services Directive 2 (PSD2) has entered into force. The aim is to standardize security rules and decrease fraud for cashless payments throughout the European Economic Area through the newly required “Strong Customer Authentication” (SCA). This regulation implements a uniform EEA-wide legal framework for the amounts and intervals in which the authentication is required.
Two out of three possible authentication factors must be validated:
1) Something you know, such as a password or PIN.
2) Something you have, such as a credit card or device.
3) Something you are. For example iris pattern, fingerprints or other biometric data.
The selection of the respective authentication methods is the responsibility of the issuing bank.
3.2.2 Travel Expense Tools
You may connect your app profile with a travel expense tool to automatically transfer your journey invoices to an external service provider, who will process them to provide your employer with a detailed overview of travel expenses.
The connection is entirely voluntary and can be revoked at any time in the app menu to end the data transfer.
The legal basis for the processing is your consent, Art. 6 (I) a) GDPR.
The following data may be transmitted: Fare, currency, type of service, optional comment, time and date of the journey, the respective pickup and destination locations, distance and duration.
3.3 Rating of Drivers and Passengers
Via the MyCab Passenger App, you can provide public ratings of Drivers and vehicle, this possibility being granted by MyCab in order to comply with its legal obligation to implement a system for verifying the quality of the rides. If you provide a rating, it will be associated with a particular Journey and taken into account in the context of the average evaluation of the corresponding Driver and vehicle. None of your Personal Data will be transmitted to the Driver. The Processing of Personal Data by MyCab is carried out on the basis of your consent as per Art. 6 (1) a) GDPR, which you provide by offering a rating.
Beyond this, the respective Driver has the possibility to rate you positively as a passenger, but also to inform us regarding problems. The rating in terms of stars ranges from one to five stars, whereby five is the highest point value. The Drivers are urged to support their rating on the basis of the politeness and behavior of the passenger. The ratings are only viewable to MyCab. The Processing of this data takes place on the basis of Art. 6 (1) c) GDPR, considering our legal obligation to implement a system for verifying the quality of the Journey or based on our legitimate interest pursuant to Art. 6 (1) f) GDPR in further developing and improving the quality of our services.
3.4 Fraud Prevention and Non-Payment
Since MyCab is subject to the risk of non-payment in case of non-payment relating to payments with credit cards or the Pay By App function, pursuant to Art. 6 (1) f) and Art. 22 (2) a) GDPR MyCab will, following your registration in the app, conduct an evaluation of the risk of non-payment for each newly entered means of payment and for each booked Journey on the basis of a mathematical-statistical model (Scoring).
To determine the value, the following Personal Data will be processed:
First name and surname, first address at registration, invoice address (if provided), starting location and destination location of your Journey, mobile phone number, language, country, e-mail address, credit card issuer, the last four digits of your credit card number, the expiration date of your credit card, the name of the credit card owner, as necessary the e-mail address of your PayPal account, information regarding your end user device (Device ID) and the version of the MyCab Passenger App.
Under the first address at registration, it is understood that this is the address from which you register for MyCab Passenger App for the first time. The acquisition of addresses, in particular your residential address, is not intended. However, an unintentional use of addresses may occur if your first address at registration is your residential address, in other words if you register from home, or if the invoice address you have provided is, as it may be, identical with your residential address. On the basis of this information, our European fraud prevention service provider will calculate a statistical likelihood of non-payment and, on the basis of the same, will generate a fully automatic decision as to whether you will be offered the Pay By App function in the MyCab Passenger App. The invoice address and the first address at registration along with the other, foregoing Personal Data will be used for the calculation of the score value, but a further Processing or use of these Personal Data will not occur. The procurement function of the App without the Pay By App function is available to every user, independent of score value. If the fully automatic decision on the basis of the score value leads to you not being offered the Pay By App function, you can still use the MyCab Passenger App and make payments either in cash or using an EC card. In this case, you will in any case be informed without undue delay regarding this decision by an e-mail to the effect that you will not be able to use the Pay By App function. If you do not accept this decision regarding the execution of the Pay By App function, please contact email@example.com . We will then once again evaluate the decision while taking your viewpoint into account using a specially trained employee.
In individual cases, a specially trained MyCab employee will conduct the final decision regarding the execution of the Pay By App function in connection with the scoring. In these cases, the decision therefore is not performed in a fully automated manner.
Independent of the fully automated calculation of the score value, we use the foregoing listed Personal Data for the purpose of preventing non-payment by using our own, specially trained employees pursuant to Art. 6 (1) f) GDPR. This means that a specially trained MyCab employee will evaluate the data and, on this basis and in case of irregularities, make a final decision based on his or her own discretion and experience as to whether or not you will be offered the Pay By App function in the app. Furthermore, this employee can in such cases, as it may be, also call a Driver during a Journey and inform the same regarding the nonacceptance of a means of payment. A use of your Personal Data going beyond this will not occur. If the decision of our employee should lead to you not being offered the Pay By App function, you can still use the MyCab Passenger App and make payments in cash or with an EC card. We notify you of the fact that you can use the MyCab Passenger App and our procurement service any time, even if the Pay By App function has been deactivated.
In order to protect you against overpaying for Journeys, the mobile phone of the Driver will transmit, during the Journey, GPS coordinates to us which will allow us to reconstruct the entire Journey. We wish to ensure that the Driver does not intentionally prolong the Journey in order to obtain a higher compensation. If you are of the opinion that you have paid too much, you can make a request with us regarding the route of a Journey. The Processing of GPS coordinates is carried out on the basis of Art. 6 (1) (f) GDPR, to protect your and our interests (e.g. protection against overpayment) and inasmuch as this for the purpose of your and our protection against fraudulent Drivers and/or passengers, as well as on the basis of Art. 6 (1) c) GDPR, for compliance with a legal obligation.
Beyond this, MyCab has a legitimate interest pursuant to Art. 6 (1) f) in using the services of the service provider Emailage LTD, 16 Great Queen Street, Covent Garden, London WC2B 5AH, United Kingdom („Emailage“). This is done in order to avoid non-payment when paying with a credit card or while using the Pay By App function, respectively following your registration in the App and for each new entering of a means of payment which you have selected. The evaluation of the non-payment risk is performed on the basis of a mathematical-statistical procedure (scoring) by Emailage.
To this end, your first name and surname, e-mail address, telephone number and IP address will be transmitted to Emailage for the purpose of risk assessment. Emailage will store this data in order to evaluate the risk score on the basis of a statistical method so that MyCab and other contract partners of Emailage can be provided with information estimating the creditworthiness of customers in the form of a risk score.
The score value obtained through the analysis of Emailage is not used by MyCab for the purpose of an automated decision-making process. Decisions which affect your contractual relationship with MyCab are made by our MyCab employees.
3.5 Bug Fixing and Functionality Improvements
In order to fix bugs in the MyCab Passenger App and to improve functionality of the MyCab Passenger App and to adjust it to suit the needs of passengers, we process the following Personal Data pursuant to Art. 6 (1) f) GDPR on the basis of our legitimate interest:
First name and surname, e-mail address, country, mobile phone number, profile photo (optional input), your GPS coordinates in the moment of booking (insofar as you have permitted access), workplace and home addresses (optional inputs), start location and destination location of your Journey and information regarding your end user device (Device ID, Ad ID), language and time zone.
Insofar as it is sufficient for the fulfillment of the corresponding purpose, we work with anonymous data rather
than with Personal Data.
3.6 News & Personalized Offers
If, in the context of the registration process or later in the profile of the MyCab Passenger App under the rubric “Privacy“, consent is given to receive news & personalized offers (advertising, coupons and special offers) and to show usage-based advertising („Retargeting“), and the correspondingly placed toggle has been activated, you will receive offers and advertising from us, and also for products and services of other companies of the MyCab Group. In this respect, your end user device (smartphone, tablet, PC, etc.)
will receive personalized advertisements via electronic post (e-mail, SMS, MMS) or by another electronic means (via in-app messages, push messages).
In connection with this, we process the following Personal Data pursuant to Art. 6 (1) a) GDPR, insofar aș you have given us the corresponding consent:
First name and surname, passenger ID, e-mail address, residential address or business address (optional inputs), mobile phone number, profile picture (optional input), method of payment, registration data, language setting, profile of MyCab Passenger App (business or private customer), type of Journey (booking, try-out ride), version of the MyCab Passenger App, login information, your GPS location data at the time of the booking and at the time of the end of the Journey or, as it may be, the pickup and destination locations, device ID (device identifier), GAID (Google Advertising Identifier), IP address and usage data (usage frequency, information relating to the downloading of the MyCab Passenger App, status of the registration or of Journeys), language, time zone and city.
If you do not wish to receive the foregoing stated news & personalized offers, you can – just as easily aș you consented – withdraw your consent by activating the corresponding toggle. Of course, you can also contact us by e-mail at firstname.lastname@example.org or send a formless letter to M&M Express SRL at Calea București nr.102/C, Brașov.
Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or, aș it may be, implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.
3.6.2 Direct Advertising for Existing Customers
If, in connection with the performance of our procurement services, we have received your e-mail address or mobile phone number and you have completed at least one Journey which we procured, we will use these exclusively for our own direct advertising of our own products and services via electronic post (e-mail, SMS and MMS), if you consented to this processing. To this purpose, pursuant to Art. 6 (1) a) GDPR, we process the following data: e-mail address and mobile phone number. You may unsubscribe from direct advertising at any time with effect for the future by clicking on the corresponding link in a relevant e-mail (e.g. to unsubscribe to a newsletter) or by contact via SMS. The direct advertisement sent by us is not personalized.
Please take into account that the objection and the modifications required thereby are valid only for the future and will be effective or, as it may be, implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.
For sending news, invoices and offer e-mails, we make use of the service provider “GMAIL“, which is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“).
Through this linkage, the information you have provided
3.6.5 Facebook Custom Audiences
In order to be able to display individually targeted advertisements about our services within the Facebook social network, a service of Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, and on Facebook partner sites, we work with Facebook Custom Audiences. We do this so that advertisements (e.g. banners) can be tailored exactly to the possible needs of the customer. The basis of this is a marking process. In this context, the so called advertising identifier (IDFA or GAID) from the customer’s end user device (e.g. smartphone) is sent automatically or manually, using a service provider selected by MyCab, to Facebook via a certain interface. The advertising identifiers are individual, but not personalized and not permanent identification numbers for a certain end user device which are provided by iOS or, as it may be, Android. You can prevent the transmission of advertising identifiers if, in iOS under “Settings” – “Data Protection” – “Advertising”, you select the option “no ad tracking” or, as it may be, for Android, under “Settings” – “Google” – “Advertising” select the option “deactivate personalized advertising.” Further, you have the option to delete the advertising identifier at any time in the device settings (iOS: “Reset Ad-ID”; Android: “Reset Advertising-ID”). Then, a new identification number will be generated for your device which will not be aggregated with the previously obtained data for your device. After the transmission of the advertising identifiers, MyCab will prepare a list of customers who have performed certain actions using the MyCab Passenger App. In this context, certain pre-defined actions can be selected (e.g. installation of the MyCab Passenger App in the previous 30 days). Facebook compares the advertising identifier of the customer with the advertising identifier of individuals with a Facebook profile, defines certain groups (e.g. Group 1: Installation in the previous 30 days) and then shows appropriate ads to this group. Facebook can also use the data to select other Facebook users whose statistical behaviors are similar to those of our customers or app users (so called statistical twins, called Lookalike Audience by Facebook). In this way, our advertising can reach individuals who are not yet using our services but who, with a high likelihood, would be interested in doing so. Customers who are not, at the same time, Facebook users, cannot however be compared by Facebook and they are not shown any advertisements. Furthermore, conditioned upon your consent, we can manually transmit your e-mail address in an encrypted form to Facebook (so called hash procedure). Facebook then compares whether the transmitted e-mail address corresponds with existing Facebook customers. If there is a correspondence, then these target groups will be shown targeted advertisements/campaigns by MyCab on Facebook or on partner websites of Facebook. In connection with Facebook Custom Audiences, we process the following data pursuant to Art. 6 (1) a) GDPR: web identifier (IDFA for Apple or GAID for Google) and the e-mail address.
If you no longer wish for your data to be processed in connection with Facebook Custom Audiences, you can – just as easily as when you gave consent – withdraw your consent in the “Data Protection Settings“ of the MyCab Passenger App *(under the option “Profile“) by turning off the toggle relating to “Personalized Advertising”. Naturally, you can also send us an e-mail to email@example.com or send a formless letter to M&M Express SRL, Calea București nr.102/C, Brașov, Romania.
Please note that the withdrawal and the thereupon ensuing changes are valid for the future and will be effective or, as it may be, implemented by no later than 48 hours from the withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.
3.7 Studies & Surveys
If you have consented in the course of the registration process or, later, in the profile of the MyCab Passenger App under “Data Protection“, to receive studies and surveys, and have activated the corresponding toggle, after a Journey or at some other time, we will contact you after a Journey or at some other time in the context of personalized (sent only to you and based on an analysis of the MyCab Passenger App usage frequency) studies and surveys sent by electronic post (e-mail, SMS, MMS) or otherwise electronically (in-app messages, push messages) and request your participation. In connection herewith, we process the following Personal Data pursuant to Art. 6 (1) a) GDPR:
First and last name, passenger ID, e-mail address, residential and/or business address (optional entry), mobile phone number, profile picture (optional input), payment method, registration date, language set, MyCab Passenger App profile (business or private customer), type of Journey (booking, try-out ride), MyCab Passenger App version, login details (user name), your GPS coordinates at the time of booking and at the end of the Journey, and usage data (usage frequency, information about the download of the MyCab Passenger App, status of registration or Journey), date registered, date of the last login, push tokens, passenger status, redeemed voucher value sum, total number voucher redeemed, voucher value sum on record, total number of vouches active, total number favorite Drivers, number of tours with favorite Driver, work address on record (yes/no), home address on record (yes/no), gross merchandise value, total number of tours, number of cancelled Journeys, rate of Journey evaluations, evaluations, business credit card on record (yes/no), invoice address on record (yes/no), tip value preference.
If you do not wish to be contacted in this regard, you can – just as easily as you gave consent – declare your withdrawal by activating the foregoing toggle. Of course, you can also contact us by e-mail at firstname.lastname@example.org or send a formless letter to M&M Express SRL, Calea București nr.102/C, Brașov,
Please note that the revocation and ensuing changes are valid only for the future and will be effective or, aș it may be, implemented by no later than 48 hours from the revocation. This is for reasons of a technical nature, which do not permit faster implementation.
3.8 Partner Programs, Partnerships
If you wish to collect miles from our frequent flyer program partners by using the Pay By App function (insofar as available), we need your respective program number (e.g. Miles&More number). We transmit to our
partners the program number stated by you as well as your surname, first name and the amount of the fare so that the bonus points/miles in the respective program can be credited. The transmission of this data is performed on the basis of your consent pursuant to Art. 6 (1) a) GDPR.
4 Data Exchange within the MyCab Group
For internal administration and standardization purposes, we may transfer personal data of drivers or passengers within the MyCab Group. The legal basis for this is our legitimate interest in effective company management, Art. 6 (1) f) GDPR, see also Recital 48 to the GDPR.
5 Processor and Processing in Countries Outside of the European Economic Area
In part, we engage for external service providers to process your data (e.g. troubleshooting, creation of mailings). To this end it is necessary for us to transmit your Personal Data to our external service providers for a specified purpose (confined to the purpose in question). We have selected our service providers carefully and engaged them in writing. They are bound by our instructions and we have obtained information about their technical and organizational measures for the secure Processing of Personal Data. We also require that our service providers comply with the applicable data protection regulations. We work with service providers from the EU and foreign EEA countries. We have concluded data processing agreement with our external service providers in accordance with Art. 28 (3) GDPR, inasmuch as this is required for the contractual purpose. The transfer to service providers outside of the European Economic Area takes place correspondingly on the basis of decisions by the EU Commission pursuant to Art. 45 GDPR (e.g. Privacy Shield) or on the basis of standard EU contract clauses.
We store all our data with a cloud service provider within the EU or in IT infrastructures and systems (employee computers) at our sites within the EU.
We do not sell any Personal Data to third parties.
However, we do reserve the right to disclose information about you if we are legally obligated to do so or if we are asked to surrender it by administrative or law enforcement bodies (e.g. police or state prosecutors).
6 Your Rights
If Personal Data belonging to you is processed, you are an affected party in the sense of GDPR and you have the following rights vis-à-vis MyCab:
You can, at any time, free of cost, obtain information regarding the extent, the origin and the recipient of retained data as well as the purpose of the retention (Art. 15 GDPR). You can, at any time, ask for incorrect data to be corrected (Art. 16 GDPR). Additionally, you have the possibility of receiving Personal Data related to you in a structured, common and machine-readable format (Art. 20 GDPR).
You can object to the usage of your Personal Data for the future (Art. 21 GDPR).
You can also ask for a partial or complete deletion (Art. 17 GDPR), limitation of processing or a block (Art. 18 GDPR) of your Personal Data. We will examine this claim and, if there is no other statutory basis for the continued processing, we will comply. We will inform you regarding the result.
Irrespective of any other administrative or judicial legal remedy, you have the right to file a complaint regarding the processing of your Personal Data by us with a data protection authority.
All informational requests, queries, revocations of consent, objections or other issues regarding data protection can also be sent by e-mail to email@example.com or to the address stated in the introduction.
7 Data Security
We have taken appropriate technical and organizational measures to guarantee data security, in particular to protect your Personal Data against access by third parties, as well as accidental or intentional modification, loss or destruction. Such measures are reviewed periodically and adapted in line with the state of the art. The transfer of your Personal Data from your end user device (e.g. smartphone) to us is always encrypted MyCab is PCI DSS (Payment Card Industry Data Security Standard) certified.
8 Storage Period
The data provided by you to us is only stored for as long as is required to perform the respective purpose for which you have transmitted your data, or inasmuch as it is required for conformity with statutory or official requirements. Personal Data is anonymized by us, in principle, after three years, unless we have a legitimate interest in a longer storage period (e.g. bookkeeping requirements).
However, please note that details on every ride performed by means of the MyCab App shall be stored for at least 5 years, in accordance with the law. Financial data may be stored for a longer period of time în accordance with the law, namely for at least 10 years for accountancy and fiscal purposes.
9 Updates and Changes
Privacy notice for driver app