logo Tootbus

Privacy Policy

Introduction

This privacy policy is intended to inform the users on this Site www.tootbus.com and the Application Tootbus-City Guide available on both Apple Store and Google Play, and the services provided by Tootbus (hereinafter referred to as “you” or the “users”) of the terms and conditions for the collection and processing of personal data by Tootbus.  

Moreover, this privacy policy also aims to inform users of their rights and their implementation in accordance with national law and the General Data Protection Regulation 2016/679 of April 27th, 2016 on the protection of natural persons with regard to the processing of personal data.

The data controller is RATP DEVELOPPEMENT, public limited company governed by an executive board and a supervisory board with a share capital of 517 301 072,70 euros located at 9, Rue Brahms 75012 Paris (France) and registered in the Paris Trade and companies register under number 389 795 006 (herein after referred to as the “Company”).

The Company has appointed a Data Protection Officer (hereinafter “DPO”) that you may contact at the following email address: [email protected] or at the postal address:

RATP DEVELOPPEMENT

Délégué à la protection des données

9 Rue Brahms,

75012 Paris, France

 

I. Privacy policy scope

The Company and its subsidiaries operate transportation network and offer rail and road services. This Privacy Policy applies to you when you browse our website, interact with our content, create a user account, or subscribe to the services and benefits offered by the Company or its subsidiaries.

 

II. Type of personal data

Personal data collected by the Company as part of the services it offers are as follows:

  • identifying data (Last name, first name, date/place of birth, nationality) ;
  • contact data (email and postal address, phone number) ;
  • navigation data (searches, number of visits, date of the last visit…).
  • Geolocation

 

 

III. Purposes of processing

The Company processes your data insofar as these processing operations:

  • Are necessary for the execution of the services the company offers :
    This includes the management of your user account, the management of customer relation, the management of subscription to email alerts, the execution of services, and the sending of traffic information in real time.
     
  • Are necessary for the purposes of the legitimate interests pursued by the Company:
    This includes processing in order to ensure a good functioning of services, the realization of satisfaction survey, the sending of diffusion of information concerning the evolution of our services, as well as for statistical and archival purposes.
     
  • Are necessary for the title of legal requirements:
    This includes the processing of your data to comply with applicable laws and regulations.
     
  • Are based on your prior consent:
    With your prior consent, the Company may use your data to send you marketing communications via email, including exclusive travel tips, deals, and offers from Tootbus, as well as basket reminder emails if your purchase is not completed, and the sending of newsletter. The Company also processes data based on your consent to optimize the advertising targeting using data similar to existing customers, in order to reach new potential customers. You may withdraw your consent at any time.

IV. Time of retention

The length of time that the Company retains your personal data includes the period of the contractual relationship as well as the statutory limitation periods.

 It is specified that the ticketing data are kept for a maximum duration of 48 hours. 

Email addresses collected for marketing purposes will be retained until you unsubscribe or request deletion, or for a maximum of 13 months from your last activity, whichever comes first.

V. Recipients of personal data.

a. The Company

RATP DEVELOPPEMENT collects data necessary to ensure the proper functioning of services and delivery. Every collaborator of RATP DEVELOPPEMENT entitled to access data sign a confidentiality agreement.

 

b. Subcontractors

The Company may work with subcontractors in order to perform some services. The subcontractors carry out data processing only for the execution of the services offered by the Company.

The Company contractually impose to its subcontractors to respect all of the regulation concerning confidentiality, technical and organizational measures in a way that data process follow the current legislation and ensuring a protection of customers’ rights.

 

c. Competent authorities

The Company may be required to transmit some personal data to the competent authorities, such as the public authorities, the Commission Nationale de l’Informatique et des Libertés (“CNIL”) or the Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (« DGCCRF »).

 

VI. Rights of the data subject.

 

a. Right of access.

You have the right to access the personal data that concerns you. You have the right to receive confirmation from the controller that the data about you is or is not being processed.

If you exercise this right, the Company will provide you with a copy of the characteristics of the processing carried out on your data (the purposes of the processing, the categories of data concerned, etc.).

 This information will be provided to you either electronically or in paper format. You may obtain a copy of your personal data subject to the respect of the rights of others.

b. Right to rectification

If you find that the data concerning you are incorrect or incomplete, you have the right to ask for the correction or the completeness of this information.

 

c. Right to restriction of processing

You have the right to obtain from the controller the restriction of your personal data processing in particular when you contest the accuracy of data, when the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead or when the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.

 

d. Right to object a data processing

You have the right to object the processing of your personal data, at any time, if you have legitimate ground and if the process is based on your consent.

Once you use your right to object, your data will no longer be processed. Where the processing is based on a legal regulation, the right to object would not be applicable. 

We inform you that the modification or deletion will intervene without undue delay and at the latest within eight (8) working days from the receipt of your request. 

 

e.  Right to be forgotten.

You have the right to obtain from the controller the erasure of your personal data without undue delay in accordance with the following grounds:

-          the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed ;

-          the personal data have been unlawfully processed ;

-          the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject ;

However, the erasure of these data may not be effected when the processing is necessary for the exercise of the right of freedom of speech, for the fulfillment of a legal obligation or to the ascertainment, use or defense of rights in front of a court.  

 

f. Right to data portability

You have the right to portability for the data you transmitted. You may access to those data in a structured format, commonly used and readable by machine. You also may request your personal data to be transmit to another data controller when technic permits it.

 

g. Right to Withdraw Consent

You have the right to withdraw your consent for marketing communications at any time. To do so, click the unsubscribe link in any email or contact our DPO at [email protected].
 

 

VII. Exercise of rights

You my use your rights by contacting the DPO named by the Company at the address mail [email protected] or at the postal address:

RATP DEVELOPPEMENT

Délégué à la protection des données

9 Rue Brahms,

75012 Paris, France

For any request to exercise your rights, the Company may ask you to send an official identity document (ID card, passport, license driver) to verify that you are the data subject of the data you are requesting.

The answers to your requests will be communicated to you electronically or in paper form.

The Company undertakes to respond to any request as soon as possible and within a maximum of one month from the receipt of your request. However, this period may be extended by two months when the request is complex or because of the number of requests received.

If the Company cannot respond to your request, you will be informed within one month of receipt of your request. The reasons for refusing you will be clearly indicated. You will then have the possibility to lodge a complaint with the CNIL and to form a judicial appeal.

You are informed that in the case of requests that are manifestly unfounded or excessive, in particular because of their repetitive nature, the Company may refuse to grant your requests or require the payment of fees to offset the administrative costs incurred in responding to your requests.

 

VIII. Personal data security

The Company implements all appropriate security measures to ensure the protection of the data collected, and in particular to prevent the destruction, loss, alteration, disclosure or unauthorized access of the Data.

 To this end, security measures such as data encryption will be implemented. Measures to ensure the ongoing confidentiality, integrity, availability and resiliency of treatment systems and services will also be taken.

Any breach of security affecting your data and likely to create a high risk for your rights and freedoms will be notified to you as soon as possible.

 

IX. Storing of personal data

The servers used by the Company to store your personal data are located in the European Union.

The Company transmits certain personal data to its subcontractors providing services necessary for the performance of services. Some subcontractors host personal data on servers located outside the European Union. Therefore, the Company ensures that they provide a level of data protection equivalent to that required by the GDPR within the European Union. To this end, the Company relies on appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission, to frame and secure these international data transfers. 

 

X. Modification of Privacy policy.

When this Privacy Policy is modified, the update is published on the Company website or via an e-mail indicating the date of update. We invite you to consult it regularly.

 

XI. Tootie App Privacy Policy

You can consult the full privacy policy of the Tootie app on this dedicated page.