This Policy establishes a responsible and transparent framework for ensuring compliance with the General Regulation on Personal Data Protection.
The policy applies to all organizational parts of Get by ApS (hereinafter the DATA CONTROLLER) and to all employees, including part-time employees and temporary workers, as well as to all the external associates acting on behalf of the data controller.
The data controller is dedicated to doing business in accordance with all laws, regulations and the highest standards of ethical business.
This policy sets out the provisions for the expected treatment of employees of the data controller and external associates involved in the collection, use, storage, transfer, publication or destruction of any personal data belonging to employees, business partners of the data controller and other individuals. The purpose of the policy is to standardize the protection of the rights and freedoms of the respondent by preserving the privacy of their personal data in all aspects of the data controller's business that include personal data. This policy establishes that Get by ApS will not unauthorizedly disclose personal data to a third party, nor act in a manner that endangers them.
Products and legal entities
GDPR Compliance Statement
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation becomes effective and enforceable on the 25th May 2018. Get By Aps. -GetByBus is fully committed to achieving compliance with the REGULATION (EU) 2016/679 GDPR even prior to the regulation’s effective date, as well as to protecting personal information which stipulates that the personal data given will not be passed on to third parties without client’s consent and will be kept in a safe manner in accordance with the requirements of the Regulation as long as there is a need or no request for withdrawal of consent, deletion, restriction or correction of data.
Get By Aps. -GetByBus will not collect any personal information about you (such as your name, address, telephone number, or email address), unless you voluntarily choose to provide them (e.g. in surveys, query, request etc.) or give your consent or unless otherwise provided by relevant laws and regulations for the protection of your personal data.
Personal data of children
When providing information society services directly to a child, processing of personal data of a child is lawful if the child is at least 16 years old. If a child is below the age of 16, such a treatment is lawful only if and to the extent that the parent has given or approved the parent's liability to the child. Get By Aps. -GetByBus invests reasonable efforts to check whether or not the custody of such a parent has been or has been approved by the holder of parental responsibility for the child, taking into account the available technology.
Given the fact that GetByApS is aware of the importance of protecting sensitive data on the minors, GetByApS retains data on minors only during the period necessary to fulfill the contractual/legal obligation (all unnecessary data on minors are anonymized no later than 45 days after the contractual obligation has been concluded or no later than 45 days after the trip).
Lawfulness, fairness and transparency
We will process your personal information only on the basis of legal obligation, your privacy or other legitimate grounds. Data related to you will be collected, used, inspected or otherwise processed transparently, while the deadlines and data processing purposes, the processing manager's identity data, information on how you can access your data, the process of filing complaints and updating the data are all publicly disclosed.
Your personal information will be collected for special, explicit and legitimate purposes and will not be processed in a manner that is inconsistent with these purposes. Data collected for one purpose will not be used for any other purpose or in a manner that is not in accordance with the approved purpose. For purposes of processing that is not carried out on the basis of a legal basis or contract we will ask you for a special privilege.
The personal information we collect is appropriate, relevant and limited to the purpose of processing. The processing manager and processor will not collect any personal information that is not required for processing purposes.
Accuracy and integrity of data
It is necessary that the personal information we collect and prepare is accurate and up-to-date and that is why we will take every reasonable measure to ensure that the personal data that is incorrect are deleted or removed without delay, taking into account the purposes for which they are being processed.
The deadlines for keeping your personal data are determined by positive legal regulations or by your privacy to collect and process your personal information.
Integrity and confidentiality
In order to protect your personal information from accidental or unlawful destruction, loss or alteration, and from unauthorized disclosure or access, Get By Aps. -GetByBus use technical and organizational security measures.
Privacy built into system design
When designing new and reviewing and expanding existing systems and personal data processing, special care will be taken to apply all these principles to maximize the privacy of respondents.
All respondents whose data are collected and processed by the controller have the following rights:
Right to access information
Each respondent has the right to a copy of the data that the controller has in their archive for the purpose of insight. In addition to the right to inspect their own data, the respondent also has the right to information:
- on the purpose of processing and the legal basis for processing
- on a legitimate interest, if the processing is based on it
- on the types and categories of personal data collected
- on third parties to whom the data are forwarded
- on data retention period
- on the source of personal data, if not collected from respondents
All information should be provided to the respondent in a clear and simple language, to ensure understanding, and must be clearly indicated and visible so that the respondent does not overlook it.
There is a possibility that providing the requested information to the respondent may reveal information about another person. In such cases, it is necessary to anonymize or completely deny this information in order to protect the rights of that person.
Right to correct data
Each respondent has the right to correct inaccurate or incomplete data that the controller has in his archive.
The right to be forgotten
Respondents may request that information about them be removed from the archives. The request will be taken into consideration and will be granted if it does not contradict the legal basis for the processing of personal data.
Right to limit processing
Respondents have the right to limit the scope of processing, in cases where this is applicable. Right to data transmission. Respondents have the right to a copy of the data for transfer to another controller.
Right to object
Respondents have the right to object, especially in cases where the processing is based on the legitimate interest of the controller. It is then necessary to review the purpose of the processing and establish its legal basis and, where applicable, allow the respondent to withdraw consent to the processing of the data and / or to stop processing his data.
The legal basis for the collection and processing of personal data of respondents are the following:
Laws governing the business of taxpayers prescribe data sets that are necessary for the execution of a legal obligation. For the collection and processing of data prescribed by law, the controller will not seek the consent of the respondents, but will only collect data prescribed by law and will not use them for other purposes. This especially refers to the data collected on the basis of the following laws and their regulations, among which we single out:
- Accounting law
- Value Added Tax Act
- Income Tax Act
- Labor Law
- Ordinance on the content and manner of keeping records about the workers
Performance of the contractual obligation
The personal data necessary for the fulfillment of the contractual obligation will be collected by the controller without a prior consent of the respondent, to the minimum extent necessary for the performance of the obligation.
The controller will publish the legitimate interests on the basis of which he collects and processes personal data for the purpose of enabling and / or improving his services or products.
Questions and Comments
What data is collected?
1. Automatically generated website visitor information data
We collect information and data that is automatically transmitted or generated by your browser each time you visit our website. Such information includes the IP address, the URLs of the site you visited before accessing our Web Sites (“referrer”), the browser used, the browser language, the operating system and user interface, the access device used, date and time of your access, the pages viewed on our website, and the time you spend on the Web Sites. Such data is stored for a period of two years and deleted automatically thereafter. We may use this information to investigate errors, to improve the stability and functionality of the Web Sites and the App, and to assist you in completing any interrupted bookings:
- browser info
- browser name
- browser version
- device model
- OS name
- OS version
- user “account” info
- account ID (if user is logged-in)
- website display settings
- referrer info
- referrer URL
- UTM URL parameters
- GCLID Google Click Identifier
- IP address
- Session ID
→ web page specific “parameters”
- search trips: from-to, trip date, pax
- ticket purchase: user provided (email, name, phone)
- additionally if applicable (depending on the trip requirements): “travel/passenger document ID”, nationality, gender, date of birth
- passenger group (e.g. adult, child, student, …)
- optional: newsletter consent, trip review link consent
- GPS bus tracking
2. We collect data provided by you / user accounts
Furthermore, we also collect and use the information you provide to us about yourself, your travel companions, and about the planning of your trip by using the Web Sites or the App:
a) When you book a travel product through our Web Sites, we ask you to provide personal data, e.g. your name, your email address, phone number, billing address, payment method or credit card information. We will ask you for the data that the respective transportation provider requires to complete the booking process. Our forms show what kind of data is required for each respective booking. We cannot process your booking without provision of the required data. Credit card information will be immediately passed on to the respective payment provider. We only store truncated credit card data (e.g. “411111xxxxxx0000”) for reporting purposes. When you make a booking for someone else (e.g. your travel companion) through the Web Sites, we will request personal information about such companion. You should obtain the consent of all such individuals before providing their information to us as those individuals may not be able to independently view their information themselves if it is provided to us under your account.
- buyer name and surname
- buyer email
- buyer phone number
- buyer address
- buyer city
- buyer country
- buyer language
- buyer credit card brand and basic credit card information: Name and Surname of the credit card holder, address, city, country, credit card issuer, time of the ticket purchase, amounts paid, transaction numbers
- in case of a Google authentication login: Google encrypted token
- buyer page search history
- buyer travel data history
- buyer Review (if consented)
- last log in time
- in case of issuing company invoice: company name, address, phone and tax number
- passenger data: name and surname, passenger groups (adults, students, pensioners etc.), travel data history. Also, we collect (only when requested by the carrier to fulfill a required trip obligation) the following info: travel document type and number, nationality, date of birth, gender.
We store booking-related data for a period of 10 years and thereafter keep the information required by trade and tax law for the statutory retention periods (usually ten years after the conclusion of the contract / booking).
We keep your account data as long as you keep up your user account with us. If you decide to delete your account, we delete the associated data. However, potential booking data (if that is necessary or required by the law) and related basic data will be kept as described.
b) If you contact us or our customer support (e.g. by email, telephone or contact form), we use the data you provided (usually your contact information and your inquiry) to respond. We keep your inquiries for a period of five years after answering except, where required by trade or tax law, we keep such correspondence for the statutory retention periods (usually six years).
If you object to our data processing set out under this section, and no opt-out mechanism is available to you directly please send your objection to us at: email@example.com.
The Web Sites and App are intended to be used by adults only. We do not knowingly collect personal information from children under the age of 13. In the event that we have knowledge that a child under the age of 13 has submitted any personal information to us via the Web Sites or the App, we may use the email address or other contact information provided by the child for the sole purpose of responding to the child’s question or carrying out his or her request on a one-time-only basis. We will not use the email address provided by such child for any other purpose, and we will delete such information from our records once their question has been answered or the request has been fulfilled. If we become aware that we have unknowingly collected personal contact information other than an email address from a child under the age of 13, we will delete the information immediately.
Travel information and basic buyer info (Name, phone number and email) are used to generate ticketsbought on GetByBus which are sent on your email upon purchase. This data is used only for the operating business and as such all parties involved in the passenger transfer have access to it: GetByBus for rebooking / cancellation / customer support purposes and bus operator for allotment management and passenger validation. This category also includes your trip plans in case of bus rent, private airport transfers, excursions. All data is safely stored in the GetByBus system and is not shared publicly.
Once you have traveled by a bus operator available through GetByBus, if you have given us the consent, you will get an email containing review instructions. The review data is shared publicly, that being only the review scores, review text and buyer’s first name. Reviewer’s email, full name and other personal info is never shared outside the GetByBus team.
3. Cookies and User behavioral data analysis
Cookies are small text files that are stored by your browser on your computer or mobile device and which allow re-identification of your computer or mobile device, potentially across numerous websites, including our Web Sites. These cookies contain no personal data. Some of the cookies we use are automatically deleted upon expiry of your session, that is, when you close your browser (these are referred to as session cookies). Other cookies remain stored on your device and allow us to recognize your browser during subsequent visits (persistent cookies).
Our use of User behavioral data analysis allows us to collect information about our users in order to provide simpler and more convenient access to our Web Sites, or to enable us to provide certain services at all.
We use User behavioral data analysis for the following purposes:
- To save your user settings such as language and currency while on using the Web Sites, and between visits.
- To store your login status as a registered user (optional), so you do not have to log in again when returning to the Web Sites later.
- For the technical assignment of your visit to certain servers to ensure a safe transition between pages and search queries.
- To monitor the performance of our systems (no user-based evaluation of data).
- Service providers for website analysis, retargeting, and conversion tracking may also use some sort of Tracking Facilities (see below).
If you click a link on the Web Sites that takes you to the website of a provider (for example when making a booking or to buy a ticket from a partner), it is possible that such other websites also store cookies on your computer. We have no control over these providers’ cookies and the data collected in this way and we cannot accept any responsibility for our providers’ websites or their tracking practices. We encourage you to carefully review the privacy policies of any website that you visit.
We use different categories of cookies for different purposes (see below)
Mandatory for Use: We use strictly necessary cookies that are essential for You to browse the website properly and use its core features. As such they do not require Your consent. These cookies will generally be first-party cookies.
Purpose: Infrastructure cookies are first-party cookies that are necessary for you to browse the website properly and use its core features. They are essential for Us to provide You with the services You expect, such as using our platform to search and book travel services.
Purpose: Security cookies are necessary to ensure an adequate level of security of our website such as user authentication for secure payment and fraud prevention. These may include third-party cookies, e.g. security cookies from the payment provider You selected when You are redirected to the payment page.
Purpose: Core functionality cookies are necessary to ensure the proper functioning of our website and its essential features, such as travel service bookings and ticket issuance. These may include third-party cookies from our transportation providers when you are redirected to their website to finalize your booking.
Category: Performance and Statistics
Purpose: Performance & Statistics cookies are used to help understand personal and statistical use of our website to improve your user experience. As such they may include third-party cookies and similar technologies like analytics services. It allows us to gain important insights about the use of our websites and how different settings affect your user experience.
Purpose: Marketing cookies are used to assist our marketing efforts and improve online advertising performance. They allow us to track your online activity in order to place personalized and relevant advertisements from third-party Ads partners. We may upload your user identifiers received from these cookies to our Ads partner platform such as Facebook, Google and others to help improve the personalization of the advertisements.
Our Web Sites may use what are known as retargeting tags for presentation of interest-related advertising on third-party websites.
5. Conversion tracking
We use advertising partners to advertise our offers on third-party websites. We also use marketing tools to determine the success of our advertising measures (“Conversion Tracking”). We intend to show you advertising relevant to your interests, to optimize our website, and to achieve a fair calculation of advertising costs.
We do not collect or use personal data in the advertising campaigns ourselves. Our advertising partners only provide us with statistical data, which allows us to identify effective advertising campaigns. We do not receive additional data, in particular no data that would allow us to identify our users.
Due to the Conversion Tracking tools, your browser automatically connects to the server of the advertising partners. We have no influence on the scope and further use of data collected by the Conversion Tracking tools of our advertising partners. The advertising partners receive the information that you have visited certain pages on the Web Sites or clicked on one of our ads. If you are a registered user of the advertising partner (e.g. if you have a Google or Facebook account), the advertising partner can relate your visits to such account data. Even if you are not a registered user with the advertising partner, or are not logged into your account, the advertising partner may collect and store your IP address.
6. Web analytics and statistics / Google Analytics
You can prevent the installation of cookies by changing the settings of your browser. Please note, however, that this may prevent some of our services’ feature from working correctly. Alternatively, you can prevent the collection of cookie data and your website usage data (including your IP address) by Google and the processing of such data by Google by downloading and installing a browser plugin available at: http://tools.google.com/dlpage/gaoptout.
Google has incorporated the EU Standard Contractual Clauses, https://policies.google.com/privacy/frameworks?hl=en-US.
User’s IP address and request logs are collected and processed using 3rd party software by GetByBus team. This data is used only for fraud prevention and performance optimizations, and is accessible only by GetByBus team.
Cookies are used to improve our page performances and provide analytics about the page usage. You can learn more about the types of cookies and their purpose by clicking on the cookies link in the footer.
Why do we collect your data? (purpose of processing and legal grounds for processing)
The purpose of collecting your personal data is to
- fulfil our contractual obligation to you
- manage your bookings
- deliver you a good service and always strive to improve it
- provide you with information on products and services that you have consented to receive
- provide information which we think is important to you or that we think you’ll find useful
The purpose of collecting data on our website usage and traffic is to
- understand the way you interact with our website in order to provide you with a better service
- enhance our site’s overall design, layout and functionality
- ensure you constantly enjoy the products and services we offer online
Further more about the data we collect:
1.Purpose of collecting data: fulfillment of contractual obligations
Legal grounds: Processing is necessary for the execution of a contract you are a party to
Category of personal data: Full name, financial data, contractual data
2.Purpose of collecting data: Communication with you, which includes processing for the purposes of:
- Responding to your queries
- Sending you important notices
- Sending/delivering notices from us during the term of a contract
- Responding to your complaints arising from a business relationship with us
- Processing is necessary for the execution of a contract you are a party to Legitimate interest
- Processing is necessary in order to take action at the request of the respondent prior to the conclusion of a contract
- Processing is necessary for the execution of a contract you are a party to
Category of personal data:
- Data provided in the contact form
- Data on previous purchases, contact information
- Contact information
3.Purpose of collecting data: Sending promotional content via newsletters
Legal grounds: Your consent
Category of personal data: Full name, e-mail address
4.Purpose of collecting data: Protection of our websites from cyber-attacks and other threats
Legal grounds: Legitimate interest – increasing the Company's level of security and preventing fraud
Category of personal data: Technical data (IP address, operating system information, information regarding visits to our website)
5.Purpose of collecting data: Meeting our legal obligations
Legal grounds: Processing is necessary to meet the legal obligations of the data controller;
Category of personal data: Full name, financial data, information on concluded contract
6.Purpose of collecting data: Performance and organization analysis of our business
including processing for the purpose of drafting reports and management analysis. We also process your personal data for internal management purposes, conducting business audits, implementing business controls...
Legal grounds: Legitimate interest
Category of personal data: IP address, language, city, country, currency, device information, browser information, OS information, trip information, search type information, landing pages information, information on your transactions,...
All data sent towards GetByBus or sent by the GetByBus system towards your client are sent securely through encrypted channel using SSL encryption and can not be monitored or decrypted by 3rd parties to plain format.
Emails sent by GetByBus system are also sent through SSL encrypted channel towards your email client.
The entire GetByBus system and database is hosted by Amazon Web Services cloud accessible only by having complex access keys and passwords available to and safely stored by GetByBus team.
Data is safely stored in the GetByBus system for as long as the user has the account on GetByBus opened and has not requested for his data to be deleted under the Federal privacy right.
Review data can be publicly posted on GetByBus.com, that being only the ratings, comment text and first name (does not uniquely identify the reviewer).
Your initial login credentials will be emailed to your personal email client with instructions for changing your password. GetByBus is generating, but not storing your initial generated password in plain format.
Upon a successful purchase, your ticket data is used to generate a PDF ticket and will be emailed to your personal email.
Ticked data is shared with the corresponding bus operator in order for the ticket to be verified upon entering the bus, and for the bus operator to perform yield management.
- Data is accessible for the bus operator through GetByBus operator interface
- In some cases, data is also sent to the bus operator’s email
- In some cases, data is also sent to the bus operator’s IT system
Your personal data is not used for marketing purposes by the GetByBus team, unless you have signed up for Newsletter when the email contents are shared with ActiveCampaign (but not used for any other purposes), or in the case you get a review email.
Server access logs are available to GetByBus team only, however they are processed and securely stored by 3rd parties software used only by GetByBus team.
GetByBus nor its payment partner Corvus llc (Buzinski prilaz 10, 10010 Zagreb, Croatia) does not store any of the credit card data - the credit card data is sent from Corvus to the corresponding Bank in order to authorise the transactions and is thereafter deleted.
Both the payment provider Corvus and GetByBus are storing the transaction data (payed amount, credit card owner name and address, credit card type and the first and last four numbers of the credit card number and IP address of the user) for confirmation and safekeeping.
Any mentioned payment data is visible only to the internal customer support and is not used for other purposes.
In case you accept to receive GetByBus promotional newsletters, your travel data, email and full name will be used to generate a personalized Newsletter email. Newsletter email is sent to your personal email through ActiveCampaign system.
3rd party software used for processing data
Hotjar (http://www.hotjar.com, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe) is used to improve sites user experience. Hotjar measures and records users interactions on the site (mouse movements, clicks, times between actions, browser information, key entries, mouse scroll actions etc.). You can read more about Hotjar data processing here:https://www.hotjar.com/privacy, or you can disable Hotjar tracking for your device here:https://www.hotjar.com/opt-out.
Google Analytics, a website analytics tool developed by Google Inc. ("Google"). Google analytics is the most popular visitor analytics tool used on the web, and based on implementing a cookie in visitors browser to track the way he uses a specific website. Google analytics uses a IP anonymization tool and does not use your anonymized IP to correlate with the rest of the gathered data. As such, Google Analytics provides a broad, group based analytics and does not personalize users. In case you do not want to provide GetByBus with the anonymous usage data collected through Google Analytics, you can opt out by installing a browser plugin fromhttp://tools.google.com/dlpage/gaoptout
- Block facebook plugin using 3rd party browser plugins:https://www.comparitech.com/blog/vpn-privacy/stop-facebook-tracking/
- Block Twitter plugin using 3rd party browser plugin such as:http://noscript.net/
Retargeting software (by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google") is used to create pseudonymized profiles of GetByBus visitors in order to track their website usage for marketing purposes of GetByBus. Cookies could be used in the users browser in order to track reoccuring visits on the page and in order to present web advertisements for products of GetByBus on 3rd party websites. You can disable this feature underhttps://www.google.com/settings/ads, and read more about this feature onhttp://www.google.com/policies/technologies/ads/.
TheRootCause (https://therootcause.io/, Mäster Samuelsgatan 36, Stockholm, Sweden, Europe) is used to improve sites user experience. TheRootCause tracks errors happened on some subpages of site and stores those errors. In case that an error gets stored, several user data will be stored as well (site screen in time error occured, mouse click, user operating system information, user browser information, etc.). You can read more about TheRootCause data processing here:https://therootcause.io/privacy-policy/.
Right to information and Right to appeal
Under the Federal privacy right, you are entitled to request information about your stored data in the GetByBus system as well as to have your data erased from the GetByBus system. In such a case, all of the data GetByBus has about you will be irreversibly anonymised. Such request should be made to Get By aps., Klamsagervej 32, 8230 Åbyhøj Denmark or via email to firstname.lastname@example.org.
Your data protection rights
Under data protection law, you have rights including:
- Your right of access - You have the right to ask us for copies of your personal information.
- Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
- Your right to withdraw consent - You can withdraw your consent to the processing of your data at any time with future effect. This also applies to declarations of consent that were issued before the GDPR came into force, i.e. before 25/05/2018.
- You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at email@example.com if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at firstname.lastname@example.org
All payments will be done in the currency Euro.
When charging your credit card, the same amount is converted into local currency at the exchange rate of credit card associations. As a result of this conversion there is a possibility of a slight difference from the original price stated on our web site: www.getbybus.com