Privacy Statement

Code of Conduct and our promise

Our mission is to provide the best customer experience in the world. Our promise is transparency and simplicity. By transparency, we mean that you as a user of the app have full insight and control over your personal data and how we and affiliates can and may handle it.

By simplicity, we mean a system as user-friendly and simple as possible for purchasing and paying for services and products of affiliated companies via the app. The use of the app is free for you. To achieve all of this, we promise the following:

You come first. Without you and your trust in us, no mobyyou; it's as simple as that. That's why we promise you a secure user environment where you are fully in control of your personal data and (privacy and marketing) settings. Click on Settings in the app to view your profile.
We like to go the extra mile when it comes to your data and privacy. We treat your data as if it were our own. You are therefore in control and can change the settings at any time.
We protect your privacy. We will make every effort to keep, use, manage and secure your personal data safely. We require affiliated companies to collect, process, use and access your data only for the purpose for which it was received. Based on the agreements we make with you, in compliance with applicable (privacy) laws, they will do so. See our privacy statement for more information on how we secure and use your personal data.
We comply with laws and regulations. We take our responsibility to comply with applicable laws and regulations very seriously and expect the same from our employees and affiliates. If you see or notice anything that does not comply, please let us know immediately. We will look into it immediately and take appropriate action if necessary.
We listen to you. Our app is the result of your experience(s) and suggestions. If you have any comments, please let us know and we will work with your feedback and suggestions.
We also expect (and will reward) good behavior from you. Provide the correct information, use the app according to the instructions and fulfill your (payment) obligations to the affiliated companies for your services enjoyed.

Our principles

We keep your personal data in a secure and protected manner (just as we keep our own personal data).

We request and use only your personal data that is strictly necessary for the use of our services (nothing more, sooner, and preferably less).
You are in control of your personal data. For each merchant (and associated zone) you determine which of your personal and user data can be used by the merchant for what purposes.
We keep your personal data only for as long as necessary for the use of the services (no longer, sooner, and preferably less).
We only use anonymized data to improve our products and services.

Section A contains a brief summary of the how, what, where, why of using and processing your personal data and our promises and your rights.

Section B contains a detailed explanation of the personal data being processed, the processing purposes and grounds, and how, from and with whom we process personal data (including an overview of the definitions used), or the whole story.

In section C, we have included some more additions that apply to certain products or services (such as student travel product, OV-chipcardnumber and direct debit).

A | Long story short

1 | Who processes the personal data and why

1.1 | The controller is mobyyou bv, having its registered office in Eindhoven and its principal place of business at Betagebouw 9 (5656 AE) Eindhoven (KvK 6645539). 1.2 mobyyou collects, stores and processes certain personal data about you (the User) (see below which data) in order to, on the one hand, offer, provide, enable and/or improve its Services and, on the other hand, the products and services of its business partners (the Merchants) through the Zones, or for your use.

2 | How we collect and process personal data

2.1 | We collect personal data through the app (see your profile for the information you have consented to). The processing of Personal Data by mobyyou includes the storage, transmission and disclosure of certain Personal Data provided by you to mobyyou. The processing also includes the transfer by mobyyou of certain personal data - approved or indicated by you - to specific merchants for which you have given your consent or to which you have subscribed via the app or zone. 2.2 |When activating the app, you will also be asked to make certain phone-specific services available, such as your location and activation of your bluetooth and the app, so that you can take full advantage of the services of mobyyou and its partners without having to enable or activate certain functions (for example, location or bluetooth communication). You can always disable or enable these settings in your profile (default setting is disabled). mobyyou uses these settings and functions exclusively to offer its services and those of its partners and not for other purposes in accordance with this Privacy Policy.

2.3 | mobyyou does not use cookies.

3 | What Personal Data?

3.1 | The Personal Data that mobyyou collects and processes is limited to the Personal Data that mobyyou requests from time to time and that you (as a User) provide or agree to.

When you create your profile, we will only ask you for your cell phone number.
To be able to use and activate the services of mobyyou, we also need the following personal information from you: name (so fellow users recognize you), bank account (to make payments), and GPS location (for example, to check in and out of public transport).
For services or products you have to pay for, if you want to use them, you can add a bank account or credit or debit card information to your profile.
For some specific or new services, it may be necessary to provide other personal and/or personal data (e.g. date/place of birth, passport photo, location/travel, IP/MAC address, battery status, clothing/shoe size, loyalty card(s), etc). Again, you are in control of which merchant you provide which data to and what it may be used for. But please note that if you do not provide certain consents, certain services may not be used and/or benefits may not be enjoyed.

In your profile, you can always adjust your consent to the sharing of certain personal data (including sharing GPS location) (per area or for the entire app) and save this adjustment. Communication is generally through the app or your cell phone number.

4 | Our promise

4.1 | (Trading) your personal data is not and will never be the basis of our business model. We do not trade in personal data. It is your data and you are in control of who can use which data for what purpose.

4.2 |The legal basis for the collection, storage and processing of your personal data by us and the merchants and other relevant stakeholders (see section B under 6) and is based solely and exclusively on the following grounds:

Your consent in accordance with the settings set by you in your profile (where the default (default) setting is that all consent is withheld);
Our contract with you (including this privacy statement); see our general user terms of acceptance and approval;
Compliance with legal duty (e.g. certain transaction-related personal data that we are required to share with (semi-)government agencies for statistical purposes), and to the extent that it serves our legitimate business interests (e.g. data protection, verification, identification, security and/or customer service (complaints)).

For processing special personal data (such as passport photo) other than for authentication, we will always request your explicit consent.

4.3 | The purpose for collecting, storing and processing your personal data is the following:

To serve you on or through the app and areas selected by you (including handling (financial) transaction and administration of products sold by you and billing).
To provide certain of your relevant personal data to merchants so that they may offer and provide their services to you.
To fulfill mandatory "KYC" requirements ("know your customer") by us and the merchants you purchase services or products from on or through our app and reporting obligations (such as recalibration surveys).
To provide customer service support to and for the benefit of you and our merchants and to improve our service and product.
4.4 | We will respect and comply with the legal privacy principles for data protection and make the following further promises and commitments to you:
Protect and Secure mobyyou will safely store and secure your personal data and only process and disclose it in accordance with the terms of this Privacy Statement and the General Conditions of Use (GTC).
Restricted Use

mobyyou will not sell, transmit or otherwise disclose your Personal Data to third parties other than in accordance with the terms of this Privacy Statement or where required by law.

Data minimization We will only ask for personal data that is relevant and required for the purposes set out above. We will disclose only that portion of personal data to our merchants for which you have consented and which is relevant and required for them to provide their service and for which you have consented.
Accuracy We will regularly review information held on individuals and remove or amend incorrect information accordingly. You have the right to request that incorrect or incomplete data be deleted or corrected within 60 days.
Storage limitation We will retain personal data for at least the duration of our cooperation with you and for as long as necessary for your use of our services or those of the merchant(s). As soon as we no longer need personal data for the purpose for which it was collected, we will delete or destroy it as soon as possible, unless there are other legitimate or legal grounds to retain it (e.g. dispute resolution or to the extent the relevant merchant(s) has a longer (legal) retention period).
Confidentiality and integrity. We will ensure that all appropriate measures are in place to secure the personal data we hold, including protection against internal threats such as unauthorized use, accidental loss or damage, as well as external threats such as phishing, malware or theft. Furthermore, upon your request, we will duly inform you in a timely manner about the personal data we have stored and processed about you and honor your right to the deletion and destruction of your personal data.
Responsibility We have implemented the following controls and measures:
1. Education and (awareness) training for employees.
2. Technical and operational security measures.
3. Processor agreements with relevant third parties.
4. Documentation on what/where/how/when/why personal data is collected, stored and processed by us.
5. Periodic data protection impact assessment to identify and monitor privacy risks (prior to and during the processing of personal data) so that, if necessary, appropriate measures can be taken to identify, address and mitigate privacy risks).

5 | What are your rights when you provide us with your data?

You can exercise the following rights: access, cancellation, restriction, modification, rectification and right to be forgotten, all to the extent permitted and compliant with applicable law.

In section B below you will find the detailed explanation of what is summarized above.

In section C below you will find specific and additional information regarding the data processing for certain services and products by mobyyou for or with certain parties (merchants and third parties).

B | Entire story

1 | Definitions and scope

1.1 | The following terms shall have the following meanings:

User: (or "you" or "you(w)") means you (the user) of the service, app and customer of the merchants.
App: app of mobyyou on which the Services are made available.
Services: the Services provided from time to time by mobyyou on or through the app.
User ID: the unique (registration) number/code of a User created by mobyyou.
Merchant: the provider (and responsible party) of certain services and products (or its affiliates) available through the app in the merchant's area.
Merchant products: are the products and services as offered from time to time by the merchant through the app.
mobyyou: (or "we" or "our") mobyyou bv (trading as mobyyou), a limited liability company incorporated under the laws of the Netherlands and having its registered office in Eindhoven, the Netherlands.
Profile: your profile as stored in the app containing your name, mobile number and any profile or passport photo.
Zone: a zone set up by a merchant that a user can become a member (zone member) of. Through the zone, it is possible for the merchant to display and offer communications, marketing and promotions to users who have joined the zone and to offer loyalty programs. Also, through the zone structure, it is possible to record and execute agreements between zones in a transaction.
1.2 | mobyyou is responsible for the collection and processing of your data in and from the Netherlands and, in this regard, acts as data controller of the Personal Data. The merchants with whom mobyyou may share your Personal Data with your consent or to the extent necessary for the performance of their contract with you, are also (co)data controller of the Personal Data that mobyyou shares with these merchants.
1.3 | mobyyou may from time to time engage affiliated group companies to process or access your Data. The Privacy Statement shall apply to each affiliated group company that is responsible for processing the Personal Data for the purposes of this Privacy Statement.

2 | Data Collection

2.1 | The personal data that mobyyou collects from Users depends on the interaction with mobyyou, and more specifically, the choices you make to share certain data and not share certain data with mobyyou (and possibly the merchants) and the products, services and features used, and may include the following personal and non-personal data.

Your contact information: First name/surname, date of birth (if required), cell phone number, user ID and loyalty card(s) (if applicable).
Financial Data and Transaction Data: We collect data necessary for the settlement and payment of the products and services used, consumed or ordered - through the app; such as (if applicable) your bank details, credit card details and relevant transaction data (such as travel data/location(s), date/time, benefits/personal entitlements, etc).
Other Data: When communicating with mobyyou, mobyyou collects and processes communications via email.

3 | Information we collect automatically

3.1 | Depending on the use of the selected Services or app, mobyyou also collects information automatically , some of which may be personal data. This includes data such as language settings, IP address, location(s), device settings, device OS, log information, usage time, requested URL, status report, user-agent (browser version information), operating system, browsing history, user ID and type of data viewed.

4 | Other information we receive from other sources

Data related to law enforcement and tax authority requests: law enforcement or tax authorities may contact mobyyou with additional information about Users in the event that they are part of an investigation.
Fraud detection: In certain cases, and as permitted by applicable law, mobyyou may need to collect data through external sources for fraud detection and prevention.

5 | Processing purposes and legal grounds

5.1 | mobyyou uses the previously described information of Users, some of which may be personal data, to the extent relevant, for the following purposes:

Registration, account management and (financial) administration (i). mobyyou uses account information, financial information and contact information to be able to manage and maintain the relationship with the User, including for registrations with mobyyou, account management, verification purposes and financial administration and management (billing, reminders, demands and (extrajudicial) collection).
Contract performance, customer service and support (ii). mobyyou uses the relevant data for the performance of the contract that the User has concluded with mobyyou (or the merchant) or to allow the User to use the services offered by mobyyou (or the merchants) (including exercising any personal rights and benefits). mobyyou further uses the information provided, which may include personal data, to provide support services, such as responding to requests, questions, complaints, problems and concerns of Users or clients. In this context, the relevant Personal Data may be exchanged back and forth between mobyyou and merchants and used for the purpose for which the parties have agreed (e.g., when referring to the other party's customer service).
Marketing and newsletters (iii). We will not send you marketing messages or newsletters without your request or consent. mobyyou will always obtain your consent before processing personal data for marketing purposes or when otherwise required by law. This also applies to merchants who have obtained your personal data or User ID through us. They may perform these activities with your personal data or consent obtained through other channels, parties or you yourself. Upon your consent, you may from time to time receive push notifications and other forms of targeted and untargeted marketing messages, advertisements and promotions from (or through) mobyyou and from the merchants for which you have given your consent.
Other communications and activities (iv). There may be times when we contact you or you contact us, for example to exchange requests or comments between you, mobyyou and/or the merchant. Also, mobyyou may send you logistical or administrative messages (for example, alerts). Communication is possible through the available communication channels (including e-mail and SMS). If a (prospective) User uses an online registration facility and has not completed the registration, mobyyou may send a reminder to proceed, or contact you to complete the registration or sign in as a User with the relevant personal data (or contact information) as provided to mobyyou. We may also contact you for quality purposes and product improvements in the event of any termination or disuse of the app. We believe that this additional service is useful for our users because it allows us to continue with the registration without having to fill in all the registration information all over again. mobyyou may also use your personal data, such as contact information, after your consent, to inform you about system and product updates and any malfunctions and defects.
Analysis, internal reporting, product improvement, surveys and research (v). mobyyou uses the information provided, which may include personal data, for internal analytical purposes. This is part of our efforts to improve the mobyyou Services and the User experience, but may also be used for testing purposes, troubleshooting and to improve the functionality and quality of the mobyyou Services. mobyyou may also invite Users from time to time to participate in surveys, provide a review, participate in our Users and Travelers panel or conduct other market research. By participating in any survey, user and traveler panel or market research or providing review, you consent to the use of your personal data for these purposes. Finally, aggregated anonymized data may be used for analysis and internal reporting purposes. To the extent you have consented to share the user ID with one or more merchants, it may be used for similar analytical purposes by the relevant merchant(s). In order to (continue to) improve our service and detect any bugs or any defects and malfunctions in a timely manner, we may ask certain users with exceptional (high, irregular, notable) usage to share their (usage) experience and feedback.
Security, fraud detection and (fraud) prevention (vi). We also process the information provided, which may contain personal data, to investigate, prevent and detect fraud and other illegal or infringing activities. This may include personal data that a User has provided to mobyyou, for example for verification purposes as part of the registration process or identification and identification when using the app (for example, for travelers on public transport), automatically collected personal data or personal data obtained from third-party sources. mobyyou may also use personal data to facilitate prosecution when necessary. For these purposes, personal data may be shared with law enforcement agencies and outside counsel. mobyyou may use personal data for risk assessment and security purposes, including user authentication.
Legal, enforcement and compliance (vii). In certain instances, mobyyou may need to use the information provided, which may include personal data, to process and resolve legal claims and disputes, for investigations and regulatory compliance, or to enforce agreement(s) with Users or resolve a complaint with or for a User. Further, we are required to share certain person-related information (in an anonymized and/or aggregate manner) with governmental or semi-governmental agencies for reporting purposes.
5.2 |As applicable for purposes (i) and (ii) above, mobyyou relies on the legal basis that the processing of personal data is necessary for the performance of the contract between the User and mobyyou (or the merchant). If the required information is not provided, mobyyou cannot accept or otherwise cooperate with a User, nor can we provide customer service.
For purposes (iii) and (iv) regarding the sharing of your User ID with the relevant merchant(s), mobyyou relies on the legal basis of consent or approval, which you, the User, must first provide. The same applies to purpose (v) whereby User participates in a survey, user/traveler panel or market research, and thereby consents to the use of Personal Data for these purposes.
For the purposes (iv) to (vi) above, mobyyou relies on its legitimate interest (or that of third parties) to provide its Services or obtain Services from Users, to prevent fraud or unlawful/abusive use, and to improve its Services. When personal data is used to serve the legitimate interest of mobyyou or a third party, mobyyou will always balance the rights and interests of the Users in the protection of their information against the rights and interests of mobyyou or those of the third party.
For purposes (vii), mobyyou also relies where applicable on compliance with legal obligations (such as lawful law enforcement requests or recalibration investigations).
To process special personal data (such as passport photo) other than for authentication or your profile picture (optional), we will always seek your explicit consent.

We share users' information, which may include personal data, with third parties as permitted by law and as described below.

Merchants: We share personal data with merchants (external third party/service provider) as required to fulfill our obligations under our agreement with you or to enable the merchant to perform their agreement with you (e.g., to order products and services, handle claims and complaints, etc.), to detect and prevent fraud, to store data, to otherwise support our business processes, or to conduct business on your or our behalf.
Consumer and/or traveler agencies and organizations, (semi)government agencies and savings/loyalty programs: To verify and control the status and rights of certain users and travelers (such as students, season ticket holders, loyalty members, etc) for discounts or benefits offered by merchants and/or affiliated savings/loyalty programs, certain personal data and/or transaction data may be verified and/or shared with certain agencies, organizations and parties to verify the respective status and rights and/or to claim, earn or redeem benefits, loyalty points and discounts. Processing of personal data for these purposes will only occur to the extent that the user has previously indicated eligibility for certain benefits or discounts and/or shared loyalty card(s).
Payment providers, collection agencies and other financial institutions: We share personal data with financial parties to facilitate, process and effect payments between a User and merchant (e.g. automatic or out-of-court collection for the collection of relevant fees, charges, invoices) or a User of mobyyou.
Forced disclosure: If required by law, in legal proceedings or to protect our rights, we may disclose personal data to law enforcement or regulatory investigations with mobyyou or its affiliated group companies regarding the User (or its affiliates, directors, officers, employees or representatives). See Section C for more information on specific parties with whom certain information is shared and for what purposes.

mobyyou may receive/share personal data about a User from/with its group companies for the following purposes:

Account and relationship management and business support
Support services to and on behalf of mobyyou (including customer service)
Financial maintenance and support (collection of outstanding invoices)
Compliance with policies and applicable laws (e.g. KYC diligence, law enforcement)
Detect, prevent and investigate fraudulent or other illegal activities and data breaches
Research (to improve service), analytical and product improvement purposes

8 | International data transfers

In case your personal data is processed by a recipient outside the European Union, we will, if necessary, enter into contractual arrangements with that recipient to ensure that your personal data is still protected in accordance with European standards and this Privacy Statement.

We may share information in (highly) aggregated or anonymized form and/or in a form in which the recipient of such information cannot identify you, with third parties, for example, for industry analysis and demographic profiling.

10 | Security.

In accordance with European data protection legislation, mobyyou observes legal and otherwise necessary procedures to prevent unauthorized access to and misuse of information, including personal data. We use appropriate business systems, controls and procedures to protect and secure personal data. We also use security procedures and technical and physical restrictions for access to and use of personal data on our servers. Only authorized personnel have access to personal data in the course of their work.

11 | Data Retention

We retain Personal Data for as long as we deem necessary to manage the business relationship with a User, to provide the mobyyou Services to a User, to comply with applicable laws (including those relating to document retention), to resolve disputes with parties and otherwise as necessary for mobyyou to conduct its business. All personal information we retain is subject to this Privacy Statement and our internal retention guidelines. If you have a question about a particular retention period for certain types of personal data we process about you, please contact us using the contact information below.

12 | Your choices and rights

Depending on where you are located or the mobyyou entity processing your personal data, various rights may apply to the processing of personal data as set forth in this Privacy Statement. As applicable:

You can ask us for a copy of the personal information we hold about you.
You can notify us of any changes to your personal information, or ask us to correct personal information we hold about you.
In certain situations, you can ask us to delete, block or limit the personal information we hold about you or object to certain uses of your personal information.
In certain situations, you can also ask us to send the personal data you provide to us to a third party.

Where we use your personal data on the basis of your consent, you have the right to withdraw that consent at any time, subject to applicable law. In addition, where we process your personal data on the basis of legitimate interest or public interest, you have the right to object at any time to such use of your personal data, subject to applicable law. This may result in us no longer being able to provide you with service or support.

A user is responsible (and will ensure) that his/her personal data is true, complete, accurate and up to date. Always notify us in a timely manner of any changes to or inaccuracies in your personal data.

13 | Questions or complaints

If you have any questions or comments about our processing of your personal data or wish to exercise any of your rights under this Privacy Statement, please contact us at support@mobyyou.nl. All privacy-related questions and complaints reported to mobyyou will be investigated. mobyyou will attempt to resolve complaints and queries in accordance with its internal policies. You may also contact your local data protection authority with questions and complaints.

14 | Changes to the Privacy Statement

This privacy statement may also change. If we make material changes or modifications that have a material adverse effect on you (for example, if we start processing your personal data for purposes other than those set out above), we will inform you in a timely manner before we start such processing.

C | Additional terms and conditions for certain products and services

In addition to what is set forth above, the following services and products are subject to the following additional specific terms and conditions. In the event of contradiction between the terms and conditions below and what is set out in Section A or B, the following shall prevail.

1 | Student travel product and OV-chipcardnumber

What personal data:

Student travel product - OV-chipcardnumber

2 | Basis

Student travel product:

The basis for processing is the performance of the agreement, legitimate interest and legal task of Regisseur Studenten Reisrecht (RSR).

OV-chipcardnumber:

The basis for processing is the performance of the agreement and legitimate interest (in order to obtain any right to a discount).

3 | Processing goals

Student travel product

Purpose: enabling travel with student travel product and supporting students through customer service. We only process the data you provide to us in order to use a travel product in your name, to enjoy certain benefits (such as student and/or off-peak hours discount) and insofar as these are necessary to enter into a travel agreement with you and to carry it out by facilitating travel with the student travel product (for example, customer service support). If you do not wish to provide personal data to us, you will not be able to travel with the student travel product as this is a personal product. Purpose: research statistical purposes. We also commission research for statistical purposes. For this research the processing of personal data may be appropriate and sometimes even necessary. For example, you can think of aggregated data such as number of people entering and leaving a station. In this case, we will take appropriate safeguards such as pseudonymization, taking into account the framework in which the data was collected. This data is neither published nor further processed in a way that affects data subjects.

4 | OV-chipcardnumber

Purpose: possible entitlement to discount. We share data with RSR, relevant transport companies with which travel is made and third parties who may conduct research for statistical purposes.

5 | Additional personal data

In order to use student travel product and relevant benefits, mobyyou will ask for your OV-chipcardnumber and share it, from time to time, with the RSR and/or the carrier so that the correct fare can be charged.

How long do we keep your data?

When you travel with MBY, we keep your personal data including travel transactions for 18 months after making the trip.

6 | (direct debit) Transdev and Connexxion travel product

What personal data:

For financial administration and management (including collection by third parties (see below)), mobyyou (and its auxiliaries (see below)) uses the app and the user's cell phone number (including name and any relevant travel information).

7 | Processing purposes.

Financial administration and management including (extrajudicial) collection purposes and any related communication and correspondence (by phone or text message).

With whom do we share data?

For users in the Netherlands: mobyyou uses CollectMasters bv (trading under the name "NIKKI") for all its collection activities related to the Transdev and Connexxion travel product.

To the extent required, the User hereby agrees that any (extrajudicial) collection (including related correspondence and communication) by mobyyou and/or NIKKI may take place via the User's cell phone number (via telephone or SMS) (in addition to any communication via the app).