This privacy notice is intended to provide you with information on how Get By ApS (“GetByBus”, “we”, “us”, "our") collect, process, and share your personal data, which you have given to us, or we have collected from you, when you visit our website(s) www.getbybus.com [and app] (“Platforms”), purchase our products and services, and communicate and interact with us, including on social medias, and will tell you about your privacy rights.
GetByBus respects your privacy and is committed to protecting your personal data. We will only process your personal data in accordance with this Privacy Notice and applicable law to which we are subject, including the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR").
1. Who is data controller?
The data controller for the processing described in this notice is:
Get By ApS
CVR no. 31058724
If you have questions regarding this Privacy Notice, please contact our Data Protection Officer by email at firstname.lastname@example.org.
If you visit our Platform(s), communicate, or otherwise interact with us on social medias such as Facebook, Twitter, Tik Tok and Instagram or other platforms, please make sure to consult the specific privacy notice presented on such social medias or platforms. You should be aware that we may have a joint controllership with the publisher of the social media or platform in question.
2. The personal data we collect and how we collect it
We may collect, use, store and transfer different kinds of personal data about you, grouped as follows:
B. User account data includes all “Booking data” submitted in bookings registered to the same email account as the User account, your vouchers, your receipts, travel history and login details. In case of a Google authentication login, we also store a Google encrypted token.
C. Operator Reviews data includes your email, review scores, review text and your first name as well as documentation for your consent.
D. Customer service data includes any information you may submit when contacting our Customer service. However, it will usually always include your name, contact details and a potential booking reference.
E. Technical data includes IP address, session ID, browser type and version, time zone setting and location, language and currency website display settings, operating system and device type, account ID (if you are logged in), referrer info of the site you visited previously.
F. Usage data includes information on how you interact with our Platform(s). Specifically, in relation to our Platforms, it includes your search history, e.g., from-to, trip date, number of passengers and groups of passengers, demographics and derived interests and preferences.
G. Marketing and Communications data includes your preferences in receiving marketing from us and our affiliates, including your marketing consent and your communication preferences.
In most situations the information is collected directly from you when you visit our Platform(s) or interact with us on social medias, purchase our products and services, request marketing from us or otherwise communicate with us.
3. The purposes and the lawful basis
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
i. Where we need to execute a contract, we are about to enter- or have entered with you, including managing your booking(s), handling complaints, refunds, etc., cf. GDPR Article 6 (1) (b).
ii. Where we need to comply with a legal or regulatory obligation, e.g., for bookkeeping or immigration control purposes, cf. GDPR Article 6 (1) (c).
iii. Where you have provided your consent, e.g., in relation to publishing your Operator Reviews, cf. GDPR Article 6 (1) (a).
iv. Where it is necessary for our legitimate interests (or those of a third party), e.g., to market our products and services towards you by combining data we have collected about you, to be able to communicate with you, to optimize our Platform(s) and troubleshoot any malfunctions or our legitimate interest in establishment, exercise or defence of a legal claim, and your interests and fundamental rights do not override those interests, cf. GDPR Article 6 (1) (f).
Please click here, if you wish to see a detailed description of which of your personal data, we process to fulfil each purpose, including which legal bases we rely on to do so.
We have also identified what our legitimate interests and conducted appropriate balancing tests. Please contact our Data Protection Officer at email@example.com, if you wish to receive more information on the balancing test.
We do not process any sensitive personal data, as defined in GDPR Article 9.
Please note that GetByBus invests reasonable efforts to check whether or not a parent/custody holder has approved any purchases made by minors (below the age of 18), taking into account the available technology.
GetByBus is committed to only retain data on minors during the period necessary to fulfil the contractual/legal obligation (all unnecessary data on minors are anonymized no later than 45 days after the contractual obligation has been concluded or no later than 45 days after the trip).
4. How we share your personal data
GetByBus is part of the Bookaway Ltd. Group. We may disclose your personal data within the Group, where required for the above specified purposes. We base this processing on our legitimate interest to transmit personal data within the Group for internal administrative purposes, such as for the purposes of using centralized IT systems and alignment of business operations and strategies.
We may disclose personal data to third parties:
• when it is necessary for the purposes listed in section 3 above, for example when relevant booking details are shared with corresponding transportation operators, who carry out the passenger transfer.
• when required by law, we may disclose your personal data to public authorities such as tax authorities and law enforcement authorities.
• when you are entitled to a refund, etc., we may share data required for such coverage with relevant parties.
• when you make payments on our Platforms. Your payment may be administered by a payment service provider acting as independent controller.
• We may assign your personal data, to any person or entity that acquires all or substantially all of our business, assets, or with whom we merge.
• when we believe in good faith that disclosure is necessary to establish or exercise our legal rights or defend against legal claims, protect your safety or the safety of others, investigate fraud, or respond to a government request.
In addition to providing your information to the transportation operators, we share information, including personal data, with our trusted third-party service providers that we use to provide services to us and process your data on our behalf and under our instruction, e.g. hosting of data, maintenance IT-systems, administration of sales on our Platform(s), communication, planning and displaying marketing, administration of our interests on social medias, customer support and service, payment processing, delivery of products to you, analytics and other services for us. These third-party service providers may have access to or process your personal information for the purpose of providing these services to us. We do not permit our third-party service providers to use the personal information that we share with them for any other purpose than in connection with the services they provide to us. We have entered into data processor agreements with our data processors.
5. Transfers to third countries
We will not transfer your personal data to recipients outside EU or EEA unless we have ensured compliance with GDPR Chapter V.
Some of our third-party service providers and Group companies are established outside the EEA. Their processing of your personal data will involve a transfer of data outside the EEA. However, to ensure that your personal information receive an adequate level of protection we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data; or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in Europe.
If you require further information about on our current data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us – please send your request to our Data Protection Officer by email at firstname.lastname@example.org.
6. Data retention
We retain the personal information we collect where we have an ongoing legitimate need to do so. When we have no ongoing legitimate need to process your personal information, we will either delete or anonymize it.
User Account data is stored until you delete your Account with us or when you have been inactive for  years, after which your access will be removed. However, please cf. retention periods below, which may affect certain data also held in your User Account;
Booking data is saved to demonstrate completion of the contract we have/had with you and for bookkeeping and tax purposes for 5 full fiscal years after the expiry of the accounting period to which the purchase relates.
Consents given by you, in connection with providing Reviews of bus operators, etc., made available through GetbyBus, will be retained as proof, 5 years after the last time we relied on your consent or you withdrew it.
Customer service data is saved until the matter has been resolved. If relevant for documentation of satisfactory fulfilment of the contract we have/had with you and for bookkeeping and tax purposes, the data is retained for 5 full fiscal years after the expiry of the accounting period to which the purchase relates.
Marketing and Communications data, data used for creating relevant marketing will be retained for 2 years. If you have consented to receive marketing, we will retain proof of your consent for 2 years after the last time we relied on your consent to send marketing or you withdrew it. We will stop sending you e-marketing when you withdraw your consent.
Technical Data will be retained for [24 months] from the collection of data.
Usage Data will be retained for 12 months from the collection of data, and thereafter may be retained only on an anonymized basis.
Data may be retained for longer period if we are legally obliged to do so, or if retention is necessary to establish, exercise or defend legal claims.
7. How to exercise your data protection rights
You have certain choices available to you when it comes to your personal information. Below is a summary of those choices, how to exercise them and any limitations.
Under certain circumstances, you have the right to:
• Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party (also known as data portability).
• Where our processing is solely based on your consent, you have the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
If you wish to exercise any of the data protection rights that are available to you then please send your request to our Data Protection Officer by email at email@example.com and we will action your request in accordance with applicable data protection laws.
You have the right to complain to your local data protection authority if you are unhappy with our data protection practices. In Denmark, complaints can be lodged with Datatilsynet. You can read more about how to lodge a complaint on Datatilsynet’s website here.
8. Changes to this privacy notice
This privacy notice may be updated from time to time to reflect changing legal, regulatory, or operational requirements. We encourage you to visit our Platform(s) periodically for the latest information on our privacy practices.
If there are any material changes to this privacy notice, and you have an account with us, you will be notified by email prior to the change becoming effective.
Annex to Get By ApS’ Privacy Notice