Solent Transport Privacy Notice for MaaS App
Solent Transport represents a partnership between the councils of the Isle of Wight, Hampshire County, Portsmouth and Southampton. Solent Transport is delivering the mobility-as-a-service platform, Breeze app, built and delivered by Trafi Ltd. This Privacy Notice tells you about how Solent Transport collects and uses personal information. Hampshire County Council, Portsmouth City Council, Southampton City Council and Isle of Wight Council (the Partners) are joint data controllers for the data processed by Solent Transport.
This Privacy Notice should also be read in conjunction with the Partners’ privacy policies, which can be found via the links below:
Why do we collect and use your personal data? Personal data is collected to enable you to access the transport services provided through the Breeze app. When you access, connect to, download, create an account for, make purchases within or otherwise use the Breeze app, we will collect personal data about you. The personal data we collect will depend on the circumstances and the services you are using or requesting. In this notice
- How we get your information
- What personal data we process and why
- Lawful basis for processing your personal data
- How long we keep your personal data
- Data sharing
- Do we use any data processors
- Your rights in relation to this processing
How we get your information
We get information about you from the following sources:
- Directly from you, through information you provide via the Breeze App and through enquiries you make via the website
- From cookies, which provide us with information about your visit to the website and use of the app.
What personal data we process and why
The information we process about you will fall within the following categories and is required to enable the transport services to be provided to you via the Breeze App:
1. From use of the App
Your details
- Full name
- Date of birth
- Address
- Driving licence copy (back and front)
- Facial photograph and video
- Gender
- Phone number
- Email address
- Password
- User name
- User ID
- Language settings
- Provider (Facebook, Google, Apple)
- Company name and Invitation Code to connect to your company allowance, when applicable
- Your budget and renew date as defined by your Company
- Mobile number and ID Token to enable user authentication for security purposes
- Version number and time of acceptance of applicable terms and conditions of use and privacy policy of Solent Transport and third parties
Payment
- Credit card type
- Credit card number
- Card holder full name
- Credit card validity date
- Credit card verification number
- User ID
- Payment method ID
Technical
- DeviceID, IP address and installation IDs
- App language and version
- Operating system and version
- Device model and its properties
- Type of network connection (e.g. WiFi, 3G, LTE, Bluetooth)
- Network provider, network and device performance, browser type
- Transferred data volume
Location
- GPS signals, device sensors, Wi-Fi access points, and tower ids to estimate the precise location
- start location
- destination
- start time
- arrival time
- journey time
- connection times
- type of transport
- prices
- user rating of connection information
User ID
- T&C acceptance
- Ticket booking ID
- Ticket departure and zone
- Ticket tariff, price and VAT
- Ticket ID
- Ticket class
- Ticket barcode
- Ticket validity
- Ticket traveller name
- Ticket discount and discount amount
- Ticket type (one-way or return)
- Ticket Invoice details
Time
- timestamp
- CategoryAddedAt
- CommentAddedAt
- RatingAddedAt
- Time
- Request/Response.From.Coordinate
- Now/Start.Timestamp
Trips
- Ride info
- User ID
- User agents
- IP addresses
- Date and time of first use
- Date and time of last use
Marketing Data
- Destination URLs you access
2. From enquiries made to Solent Transport or a Partner Local Authority
- Name and contact details
- Payment information
- Trip details
- Other information that may be required to resolve your enquiry
3. From cookies
Cookies and similar technologies are small text files that are stored on web browsers or devices by web pages, apps, online media or companies.
- Trafi Ltd use technologies for the purposes of exchanging information with
service providers, authentication and remembering preferences and settings.
Details of cookies used by Trafi Ltd can be found
here
Lawful basis for processing your personal data
Depending on the service, we rely on the following lawful basis for processing your personal data under the UK GDPR:
1. For delivering transport services via the Breeze App
Article 6(1)(a) – you have given us your consent to process:
- Your details / Time and Trip data / Location data
Article 6(1)(a) and Article 9(2)(a) – you have given us your explicit consent to process:
- Facial photograph and video
The processing is necessary to prevent illegal attempts to defraud the verification process to enable the technology to confirm you are a real person and not an imposter using a picture or other method to fraudulently obtain travel services without holding a valid driver’s licence.
Article 6(1)(b) Contract – the processing is necessary for the delivery of services under the Terms and Conditions of Use of the app, following data will be processed:
- Your details / User ID data / Payment Data /Technical data / Location data/ Time and Trip data
Article 6(1)(c) Legal obligation – the processing is necessary to comply with the law, including not limited to security and the detection and prevention of fraud. The following data will be processed:
- Your details / Payment Data
2. For Research, Monitoring, and Analytical Purposes
Article 6(1)(f) Legitimate interests – the processing is necessary to enable you to access the app and to enable the delivery of a service in accordance with the app terms & conditions. It is also necessary to provide a functioning app and security as (e.g. adapting the app to the requirements of the user device). Information is also processed to allow the app to pursue the legitimate interest in optimising the app and ensuring the security of both the app and our IT systems. The following data will be processed:
- Your details / User ID data / Payment Data /Technical data / Location
data/ Time and Trip data
3. For Targeted Marketing Purposes
Article 6(1)(a) – you have given us your consent.
We use Google Analytics and use server-to-server Google Measurement Protocol.
We will share your personal data only where you have given us your consent.
We use Braze Inc, a third-party marketing provider for marketing purposes, to make you aware of improvements or changes to services (e.g. the introduction of a new service provider) and to provide messages about the promotions or additional services.
4. Service Messaging and Promotions
Article 6(1)(b) Contract – service messaging is necessary for the delivery of services under the Breeze Terms and Conditions of Use.
Article 6(1)(f) Legitimate Interests – offering generic deals and promotions by sending generic marketing information to Breeze users via in app push notifications is necessary to make users of Breeze aware of improvements / changes to services (e.g. the introduction of a new service provider) and to improve user retention and use of the app. The processing is compliant with the Privacy and Electronic Communications Regulations, as the messages are untargeted.
Article 6(1)(c) – legal obligation – to comply with our data protection obligations.
5. For enquiries/Customer Services
Article 6(1)(b) Contract – the processing is necessary for the delivery of services under the Terms and Conditions of Use of the app.
Article 6(1)(c) – legal obligation – to comply with our data protection obligations
6. For cookies
Article 6(1)(a) – you have given us your consent. For non-essential cookies you have control over whether these store your data when using the site.
Some cookies are necessary to enable core functionality, and these will be notified to you when you use the app.
How long we keep your personal data
We will not keep your personal data for longer than necessary. How long your personal data is retained for will depend on the lawful basis for which it was collected. Depending on that lawful basis we are not always able to comply with a ‘right to erasure’ request.
If you choose to delete your Breeze account, your account will be scheduled for deletion from the operational data base, which may take a few days. Once the data has been deleted you will receive an email confirming the deletion.
Please note that we still may be required to process certain information about you after your account has been deleted, in order to comply with our legal or contractual obligations (see “Lawful basis for processing your personal data”). This could be for example where we are required to; investigate a complaint or establish, exercise or defend legal claims, such as in the pursuit of unpaid bills. We are also required to share information with the Police or other agencies for law enforcement purposes which includes traffic offences such as speeding tickets. However, any personal data needed for these purposes will be transferred to a secure archived backup system and will be held in accordance with our retention information detailed in this notice.
Information processed for research and monitoring purposes will be held for the duration of the research project. At the end of the research project all data will be anonymised.
If you choose to participate in any surveys, you will be redirected to the Privacy Policy of the organisation undertaking the survey which will detail how they manage personal data and how long it will be held for.
Examples of the data which will be held in the archived backup system are detailed below.
Examples of information held in archive system
- User Information: e.g. User ID or Name
- Common activity information for all activity types: e.g. Activity ID, Provider, Type, Status, Timestamp
- User profile update activities: Changes that have occurred (name, birth date, email, gender, address)
- Mobility Service Provider account creation activities:
- User status activities: Was blocked or unblocked
- Solvency check activities: Result of solvency check
- Payment method activities
- Document verification activities: e.g. type of document (passport, ID card or driver’s license)
- Ticket purchase and activation activities: Purchase details (price, payment method used)
- Trip activities (Sharing, Ride-Hailing, Rentals) and Trip information (start and end locations, trip duration, price and payment information
- Errors that may have occurred Subscription activities (purchases, renewals and cancellations)
- Fraudulent actions: Name, Email, Time, Date of birth, Identity Verification, Provider session ID Fraud Status
Retention Information of data used to deliver transport services via the
Breeze App
| Purpose / Record Type | System/ Current Deletion Period | Retention Period as Implemented by Trafi | Trigger | Disposal Method |
| Product Security and Management | Firebase/3 years Firebase Remote Config Firebase Dynamic Links Firebase Cloud Messaging |
Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app. | from the data collection | Automatic |
| Product Operations – Backend (Customer account data, history data, T&C/Consent versions accepted, customer service queries) | Backend: AWS/3years |
Backend data: Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app |
time starts at end of respective calendar year | Automatic |
| Rail ticket sales data (including refunds) for at least 28 days plus the longest validity period for point to point rail tickets which is currently 3 months for some carnet products | Backend: AWS/3years |
Backend data: Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app |
time starts at end of respective calendar year | Automatic |
| Product Operations – Frontend (App event tracking – https://docs.aws.amazon.com/pinpoint/latest/developerguide/event-streams-data-app.html) | Frontend: – AWS Pinpoint(automatic): Trafi loose front end events after 90 days |
Frontend data (mParticle): Frontend events will be deleted after 90 days from the data collection |
from the data collection | Automatic |
| AWS SNS and AWS Cognito | AWS/3years | Backend data: Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app |
time starts at end of respective calendar year | Automatic |
| Data Availability and Logs | DataDog/15d (Logs) | 15 days | from the data collection | Automatic |
| MSPs Data Logs | BQ/30days (Logs) | 30 days | from the data collection | Automatic |
| Data Availability and Backups | AWS/30days | 30 days | from the data collection | Automatic |
| Calculate Statistics (raw data from all users) Pseudonymised Analytics and Feedback (raw data from users that provided consent) |
Google BigQuery/90days | 90 days | from the data collection | Automatic |
| Customer Support | Slack,Jira, Slack/At the end of the contract between client and trafi | At the end of the contract between client and trafi | At the end of the contract between client and trafi | Manual |
| Identity verification | Onfido data base | Storage while customer identity and drivers licence is verified. Data is deleted on a rolling 7 day period and is permanently deleted 1 day later. | from date of the verification check | Automatic |
Enquiries
Once an enquiry has been received by Solent Transport, it is forwarded to the relevant Partner to respond to and action. Customer Services are provided via Southampton City Council who is also the lead Partner for Information Governance. The personal data will be held in line with the relevant Partner’s retention schedule, further details of which can be obtained from them directly.
Cookies
Details of cookies used by Trafi Ltd can be found here
Details of cookies used by Unicard can be found here
Details of cookies used by Braze can be found here
Details of cookies used by Onfido can be found here
Data Sharing
In order to respond to enquiries, it may be necessary for Solent Transport to share your personal data with the Partners. To deliver the service requested by you through the app, it will be necessary for us to share your personal data with:
- Trafi Ltd, the host provider of the app. The Privacy Policy of Trafi Ltd can be found here.
- The Mobility Service Providers (transport operators) who provide the transport services purchased by you through the app and you should refer to the Privacy Policy of the individual Mobility Service Providers for further information.
- Unicard who provide the Breeze customer services and operate the Breeze financial back-office functions.
- Onfido Ltd provide an identity verification service. A facial photograph and/or video may be required to verify your identity and to confirm your eligibility to access certain services within Breeze (e.g. mobility services which can only be used with a valid driver’s license).
For the purposes of monitoring and evaluation, it may also be necessary to share your personal data and anonymised data with the Universities of Southampton and Portsmouth and the Department for Transport.
For the purposes of marketing, we use Google Analytics and use server-to-server Google Measurement Protocol. We use Braze Inc, a third-party marketing provider for marketing purposes, to make you aware of improvements or changes to services (e.g. the introduction of a new service provider) and to provide messages about the promotions or additional services. Your data can only be shared where you provide your consent within the app and this will permit the tracking of your activity across other companies’ apps and websites.
In some circumstances, we may be legally obliged to share information with other organisations or agencies in order comply with applicable laws and regulations, for example sharing information with the police for crime prevention purposes.
Do we use any data processors?
Data processors are third parties who provide certain parts of our services for us.
The Partners have contracts in place with them and they process data in accordance with this Privacy Notice and they cannot use the data for any other purpose.
- Processors – Our current data processors for this service
are listed below.
| Data Processor | Purpose | Privacy Notice |
| Trafi Ltd | Trafi Ltd is the developer and host provider of the app..
|
Trafi Privacy Notice |
| Unicard | Customer Services and back office reconciliation functions | Unicard Privacy Policy |
| Braze Inc | a third party marketing provider | Braze Inc Privacy Policy |
| Onfido Ltd | A third party provider of digital identity verification | Onfido Privacy Policy |
Trafi use sub-processers who can be found here and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.
Unicard use sub-processors who can be viewed on the Unicard Privacy Policy and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.
Braze Inc use subcontractors who can be viewed on their Privacy Policy and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.
Onfido Ltd use subcontractors who can be viewed on their Onfido Privacy Policy and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.
Your rights in relation to this processing
As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Information Commissioner’s Office as the relevant supervisory authority.
These rights include:
- The right of access – You have the right to obtain confirmation that your data is being processed, as well as access your personal information.
- The right to rectification – You have the right to have inaccurate personal data rectified, or completed if it is incomplete
- The right to erasure – You have the right to have all your data erased, also known as the ‘right to be forgotten.
- The right to restrict processing – You have the right to request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances
- The right to object – You have the right to object to processing in some circumstances. The processing must stop unless there is legitimate grounds that override your rights, interests or freedoms, or the processing has been done in regards to a legal claim
To exercise any of these other rights, please contact Solent Transport.
You will be able to amend information and rights of access in the App. You can also delete your account data from the App at any time.