Hopp til innhold

AtBeta

Privacy policy

Privacy policy and cookies for AtBeta

Les versjon på norsk

When you visit our website, your browser will download information capsules (“cookies”). These are small text files that are exchanged between your unit and our website and which are used to ensure the optimal functioning of the website. Below, you will find a summary of the cookies used on our website.

Cookies on this website

Only cookies from Google Analytics are used on this site. Read section on analytics.

Google Analytics

Our website uses “Google Analytics” to collect information about the use of our site. Google Analytics collects information such as how often users visit our site, what pages they visit when they do so, and what other sites they used prior to coming to our site. We use the information we get from Google Analytics to improve our site. Google Analytics collects only anonymized IP address to you on the date you visit our site, rather than your name or other identifying information. We do not combine the information collected through the use of Google Analytics with personally identifiable information. Although Google Analytics plants a permanent cookie on your web browser to identify you as a unique user the next time you visit our site, the cookie cannot be used by anyone but Google. Google’s ability to use and share information collected by Google Analytics about your visits to our site is restricted by the Google Analytics Terms of Use.http://www.google.com/analytics/terms/us.html

You can prevent Google Analytics from recognizing you on return visits to this site by disabling cookies on your browser. https://tools.google.com/dlpage/gaoptout

Statistics and logs

When you browse our website, information is stored in statistical and log files. The system stores the user agent, IP address and what page a visitor has viewed in a raw data table. This information is then used to generate statistics on the number of page views per object (menu item, article, file), per host and per search term. All data in the raw data table are deleted after two days, and the remaining statistics then contain only summary data that cannot be used to identify individual users. We also store the user agent, IP address and what page a visitor has viewed in the web server’s logs. These logs are used exclusively for troubleshooting and security purposes, and no data are taken from these logs or otherwise used. The logs are deleted at regular intervals (normally every four weeks). Only the administrators of the web server (operations), have access to them.

Privacy Policy Agreement for Application

Les versjon på norsk

1 Introduction

AtB AS (henceforth «AtB») is a mobility company for the public transport in Trøndelag County. AtB is responsible for planning, organizing, purchase and marketing of public transport services. AtB is registered as a limited company and is fully owned by Trøndelag County Authority.

2 About the Agreement

This Privacy Policy Agreement explains how AtB collects and processes personal data from their customers and/or users of the public transport (henceforth referred to as “customer”). Personal data is defined as any data about an identified or identifiable physical person, in this case the customer, according to article 4 of the data protection regulation.

The agreement satisfies the requirements in the data protection regulation (GDPR) and industry norm for the processing of personal data in regard to electronic ticketing (henceforth referred to as the “industry norm”).

The agreement contains information the customer has a right to review according to articles 12-14 of the data protection regulation, and general information about how AtB treats your personal data.

In addition you will find information about how you can access personal data AtB has collected about you and how you can proceed if you want us to correct or delete your information

3 General Information about Processing of Personal Data by AtB

3.1 Data Controller

AtBs CEO has the overall responsibility for the processing of the customers personal data according to the Personal Data Act and is thereby defined as the data controller. AtB will ensure that the customers personal data will be treated following the personal data act and other regulations at any time.

3.2 The App processes the following information about you

Email address: In the pilot-version of the app, AtB needs your e-mail adress in order to give you access to the app, as well as send you relevant information about the pilot project by e-email.

Sales documents: All sales documents are saved in accordance to the Norwegian Bookkeeping Act. Information about your trips that can be extracted from your purchases will only be accessed as personal data when it is initiated by the person registered, e.g. in case of a complaint or other inquiries that require to take a closer look at all details connected to a specified purchase.

Information about method of payment: Credit card – To be able to pay by credit card there is an interface towards the payment service that enables the registration of a credit card via the App without saving all card details. . Even if you choose to save one or more credit cards in your profile, your full card details will only be accessible by the payment service. Only the six first and the last four digits of your card number and the expiration date will be saved in connection to the app. This is required to enable the customer to recognize his or her registered card, to generate necessary details that are required for a receipt, and to ensure a customer’s possible claim of reimbursement.

Technical information: When you use the App app or App Web, your IP-address, time of request, information about browser or mobile phone, and version number and mobile platform for the app, including the chosen language, will be logged in an application log. This information is required to enable the function of the service on the given platform/mobile phone and will be logged for the service to function as intentioned. This also gives us necessary information to solve a problem that may occur in case of a malfunctioning of the system. We do not use any form of analytics (e.g. Google Analytics) that collects data about or logs patterns of identifiable users. The only related functions are crash reports via Bugsnag that provide fully anonymized crash reports and are considered as an aid to secure fast correction of errors in case the app should crash.

Journey data: By accepting that the app can access to the phones GPS, position data will only be used locally on the phone. No position data will be logged in the app and transmitted to backend. The only journey data that will be processed is the information about the chosen departure location/-zone and destination/-zone that is necessary to document purchases and calculate the correct prize. We also use your position data when searching for travel routes, in order to be able to suggest the best travel route. The journey data that is connected to your purchase will be saved and anonymized together with other data in the sales documentation

3.3 Sources of personal data

All the personal data that are processed in connection to App are created or registered by yourself. We do not collect information from external sources or services:

  • You can always access the app settings to correct or change other personal data entered by yourself.

3.4 Access to personal data

Personal data will only be accessible to authorized personnel with a professional interest through the public transport provider and their subcontractors, including ticket inspection companies, payment service providers and operators.

In some cases, AtB can provide personal data to the police or other public authorities. This requires a legal basis or a court order. In addition to this, AtB will provide the Travel Complaint Handling Body (Transportklagenemnda) with personal data if an inquiry for our travel guarantee or a fine is appealed by the customer after AtB has rejected the inquiry or the complaint.

No data will be transferred to external third parties that are not mentioned in this privacy policy agreement, neither in Norway nor in other countries,

3.5 Purpose of processing personal data

AtBs overall purpose with the processing of different personal data connected to the use of App, is to be able to provide good and effective products to our customers when providing public transport services. In addition, AtB wants to create the prerequisites to effectively serve the customers, as well as enable the ticket inspectors to verify valid tickets.

It is optional to use App. If you choose not to use the service, you can choose to buy tickets in alternative ways, such as AtBs homepage, in the service center, aboard the vehicle or means of transport, by SMS, from retailers or ticket and parking machines in Trondheim city center.

Information used in statistics is anonymized and can therefore not be traced to you as a person. Furthermore, statistics are used to improve and develop our services towards our customers. Examples for when statistics come to good use is when we need to know the number of passengers travelling between specific zones, the number of tickets sold in each category and the number of tickets bought on each mobile platform (Android or iOS). AtB collects information from the tickets purchased in the App.

3.6 Treatment basis

AtBs treatment of personal data is based upon the customers registration of a user that enters an agreement with AtB when buying a product. AtB will save these data for as long as the customer maintains a customer profile with a registered user in App. The customer can then buy a new product at any time. The basis of agreement is pursuant point (b) of Article 6 (1) of the personal data regulation, providing treatment when treatment is necessary to fulfill an agreement the registered person is a part of, or to implement actions on behalf of the registered person prior to entering an agreement.

Treatment for statistical purposes is pursuant point (e) of Article 6 (1) of the personal data regulation and § 8 of the Norwegian Personal Data Act, since it is necessary for statistical purposes in the interest of the public.

3.7 Information security and secure saving of personal data

AtB follows the requirements for information security in chapter 2 of the personal data regulation and the regulations of the industry norm.

AtB can use travel data together with customer data when it is initiated by yourself. This can occur in case of a complaint on the travel guarantee, complaints on fines or other inquiries on your behalf.

AtB will not use travel data together with customer data to create statistics, when charging business partners and usually not when troubleshooting.

3.8 Approach to access requests, correction or deletion.

You have the right to access personal data about yourself and you can demand correction of wrong or incomplete information about yourself. Furthermore you can demand deletion of unnecessary information about yourself.

If you wish to access or correct/delete your personal data saved by AtB, you will have to request this in written form – either to: atb@atb.no, by mail or in person at our service center in Prinsens gate 41.

When contacting us by mail, please use the following address:

AtB AS v/ Kundesenteret
Prinsens gate 39
7012 Trondheim

Errors in your personal data treated by AtB can easily be corrected if you contact the service center.

If you wish to delete your customer relationship including your personal data, you can do this too by contacting the service center.

The phone number to the AtB service center is: +47 478 02 820

Our customer service can help you to get in touch with the privacy representative if you have specific questions about AtBs treatment of your personal data in cases where you cannot find an answer in this Privacy Policy Agreement. If you need to get in touch with the privacy representative directly, you can send a letter to AtB marked “personvernombud” or by email to: personvernombud@atb.no, or call +47 478 02 820 and ask to be forwarded to the privacy representative.

AtB will answer your request as soon as possible and within 30 days. We will ask you to confirm your identity or to provide further information before you can claim your rights towards us. We do this to make sure that we only grant access to your personal data to yourself and not to someone claiming to be you.

3.9 Other rights

You have the right to object against the treatment of personal data. At any given time, due to reasons of your specific situation, you can object against treatment of personal data about yourself. The treatment must be pursuant point (e) or (f) of Article 6 (1), including profiling according to the mentioned regulations. AtB can no longer treat your personal data unless the company can prove important and rightful reasons to treat your data that overgo your interests, rights or freedom, or to define, claim or defend legal claims.

You have the right to data portability, the right have the personal data transmitted from one company to another as stated in article 20 of the personal data regulation. The registered person shall have the right to receive personal data about him or her that AtB has received in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided. This requires that the processing is based on consent pursuant point (a) of Article 6 (1), point (a) of Article 9 (2) or an agreement pursuant point (b) of Article 6 (1) in the personal data regulation. The processing is to be carried out by automated means.

To exercise your rights, the approach will be as described above in point 3.7.

If you experience that our processing of personal data does not adhere to our description here or that we do not adhere to the Data Protection Act in other ways, we ask you to contact us. If needed, you can file a complaint to the Norwegian Data Protection Authority (DPA). You can find information about how to contact the DPA on their website: www.datatilsynet.no

3.10 Use of Data Processors

AtB may share your personal data with «Data Processors». Data processors are subcontractors that process personal data on behalf of AtB, as stated in the Data Protection Act §2. This applies to suppliers of ticketing and other systems where you as a customer may enter your personal data. Either in the form of a user profile connected to your journeys or when complaining about a rejected inquiry for our travel guarantee or a fine where AtB will have to proceed a case after you have made an inquiry.

These data processors cannot use personal data in any other way than to provide the service as agreed upon with AtB in a Data Processing Agreement. AtB take special precautions to ensure that our data processors act according to the Data Processing Agreement, this Privacy Policy Agreement and the Norwegian Data Protection Act.

AtB will only make use of data processors located in Norway, EU/EEA countries or countries that have sufficient privacy laws.

4 Automatic Registration of Customer Data When Visiting our Website

As one of many websites, AtB uses cookies and similar technologies on our website. As a result, certain types of data about you as our customer will be registered and stored automatically when you visit our website. These data are used to register and analyze “traffic patterns” on our website. The information is used to identify how visitors navigate on our sites, how much time they spend on a site, what services they use and where they are from.

Common data being recorded is information about browser and operating system in use, and the domain or IP-address you are connected to. This information is used to create statistics about visitors use of the site and will be deleted continuously. Such customer information is anonymous. AtB does not store information that can give away the customers identity.

For further information regarding this, please refer to our website: Privacy policy and cookies.

5 Storage, Duration and Deletion

All data stored in the backup system is stored according to current legislation. Your personal data will not be stored longer than necessary to fulfill the communication purpose of the app. Both the controller and the app developer has ensured information security measures and in-house routines to verify that no personal data go missing or are being used for other purposes than described in this Privacy Policy Agreement.

Both the controller, AtB, and its data processors are following the principles for embedded privacy protection and privacy protection as a standard setting. This includes, among other things, that your personal data shall not be stored longer than necessary to fulfill the purpose of the service.

Profile information: Your profile information will be stored for as long as you remain an active user of App. Profile information of inactive users will be deleted after three years. A user is considered inactive if there have been no purchases or other activities from the user or their sub-users in the app, and their App account is empty. You can at any time ask for your user to be deleted from the App service. To be able to use the service again later, you will first have to register for the service again. Your phone number will be verified during the first log in on a new device. If you have entered other personal information in the app, you can at any time change it in your profile in the settings.

Transaction history and sales documentation: All the sales documentation will be stored for 5 years after the end of the fiscal year, in accordance to the accounting legislation, including the Bookkeeping Act with its regulations. The receipts of your last purchases will always be accessible through the app. In accordance with demands from the payment services, AtB is obliged to give you access to the sales documentation form all your purchases of services, with an expiration within the last 20 months, carried out by your user or connected to your App account. You can extract this information yourself by logging in on the Web Solution. After 20 months, the sales documentation will be archived and anonymized in a way that it will not be possible for you or for someone with professional access to the App service to extract this information connected to your user.

Technical information and transaction logs: Different parts of the transaction log are stored for a sufficient timeframe to ensure the service to function as intended and to ensure that customers receive the service they are entitled to. Normally, the details of the application log will be deleted or anonymized after 104 days. In case of complaints based on errors in the service, the storage time for the transaction log can be increased to cover a necessary timeframe to process the case.

6 Security

All communication between the service and the application on the phones of end users is encrypted. Access to the system on the web is encrypted. All data transfer between the parts within the system is encrypted. Access to extract data is possible solely through API encrypted and secured with access keys. Access to data through AtBs interface is defined by role, personal and events are logged to ensure traceability. The administration interface for the service is designed with different access levels to limit access only to persons from AtB on a need to know basis.