Privacy Policy

Select your language:

Whim Users

Last updated 7.9.2021

Whim app is all about giving you the true freedom of mobility. Part of what makes that freedom possible is our commitment to protecting your privacy. We at MaaS Global (“we”, “us”, “our”)  want you to feel safe in knowing that your privacy is protected, and your personal data processed in a transparent manner. This is why we have prepared what our lawyers like to call the “MaaS Global Privacy Policy”. Read this carefully, and make sure you understand what it says before accepting it. If you have any questions about this, we are happy to answer. Just send us an email at privacy@maas.global and we will do our best to get back to you soon.


This MaaS Global Privacy Policy provides information on how we collect, disclose, use and otherwise process personal data, and how we use that data. Please read this Privacy Policy carefully as it’s contained important information about your rights. This Privacy Policy applies to all our services specified in our Whim Service Terms located at www.whimapp.com/terms, as well as our applications and website where this Privacy Policy is presented. 

1. Lawful grounds for data processing

We believe in transparency and acceptance of Privacy Policy before you even start to use Whim app. In addition to obtaining consent, where we are required to do so by applicable data protection laws, processing your personal data may also be based on our customer relationship, and because processing your personal data is necessary in order to provide our services. Sometimes the processing is necessary for the purposes of legitimate interests pursued by the MaaS Global or a third-party interest. This includes fraud detection and prevention as well as for various development and analytics purposes. That is why we want to provide you with full visibility to the types of personal data we collect from you directly and through your use of the Services.

The personal information we collect, store and process will depend on the Services and Content you use.

2. The type of information we collect

Information collected directly from you

Basic personal details. When you register as a user, we ask you to provide your telephone number. The telephone number will act as your account ID and can be used for communication with you in accordance with the applicable laws. 

Additional personal details. When you subscribe to an automatically renewed periodic Plan or make a purchase using the pay-as-you-go model, we will also ask you for your name, email address and street address. We may also ask information relating to your devices, home country, language, credit card details and other payment details. This information is needed to ensure we can process your payment. We also use third party payment processors who will request, and process details related to your chosen payment method. This payment information will be processed directly by the third party and we will not store that data. We may also implement various third-party log-in systems, such as Facebook login, that allow you to provide some of your personal details directly to us from the third-party service. Furthermore, there will be a possibility to personalise your profile with your photo.

Verification data. Some parts of the services require us to perform additional verifications about you using the lawful basis of legal requirement to meet our obligations under the legislation, legitimate interests and necessity to perform a contract, such as verifying your identity, credit information, risk profiling, place of residence or that you are licensed to drive, either automatically or manually.  In order to perform these additional verifications, we may request you to provide additional details such as, but not necessarily limited to, your personal identity number, your photo (biometric measurements of the User’s face, sex) or video (including audio) or your driver’s license details (picture of the Driver’s license, type, number, date of issue, term of validity). Due to our legal obligations, we may make automatic decisions based on personal information. Such decisions include, for example, the license to drive to be certified on the basis of a person’s age or category of driving license. We will inform you in advance if the use of the service requires decisions such as those mentioned above. In addition, we will ask for your consent, where we are required to do so by applicable data protection laws.

Information collected through your use of the services 

When you use the services, we collect information that helps us better provide the services to you. This information includes the following:

Your transactions with us. We maintain records of your purchases, downloads, the content you have provided us with, your requests, agreements between you and MaaS Global, the services provided to you, your delivery details and other interactions with us. We may, in accordance with applicable law, record your communication with our customer care or with other such contact points.

Positioning and location data. Location-based services establish location through the use of satellite, mobile, Wi-Fi or other network based positioning methods. These technologies may involve exchanging your location data and unique device and mobile, Wi-Fi or other network related identifiers with MaaS Global. Our services may operate on multiple device platforms, applications and services which may also collect your location data. We do not use this information to identify you personally without your consent. When you use our location based services and features, for example location based search, navigation and routing, or request for map data, your location data is sent to MaaS Global to serve you with the right content, which may also include and promote location-specific services.

Travel data. We store information about your trips. This includes the start and end points of the trip, the start and end times of the trip, the method of travel, and the cost. This information is associated with your unique user identifier. This information is vital for the functioning of the service, as it allows us to provide the service and to ensure the trip provider is compensated for the trip. 

Favourites. Our service allows you to store favourite points on a map. This allows us to customize our service offerings for your use, and make it easier for you to travel to and from your favourite locations regularly. 

Calendar data. If you wish, you can grant our service access to your calendar. This allows you to request additional services such as travel reminders, travel plans and other functionality.

Other data. We may also collect so called non-personal data. By non-personal data, we mean all other information we collect that does not enable you to be identified either on its own or in combination with other data we hold.  We may collect data such as, but not limited to your IP address, access times, browser or application type, what pages you have visited and the sites linked from. However, in some cases non-personal data can be stored together with your personal data in such a way that the non-personal data could be considered to be personal data as well. In such cases we process it in accordance with the provisions of this Privacy Policy.

Our application is in frequent contact with our service, to provide door-to-door travel capabilities, guidance and booking services, for example to check for updates or to send us information relating to service usage. Additionally, we may invite you to join voluntary product and service improvement, campaigns or research programs where detailed information is collected.

Whim services are typically intended for general audiences. MaaS Global does not knowingly collect personal data of children. Parents can give or cancel their consent to use the Service and process the personal data by contacting Whim Customer Care. 

Information collected by third-party

We also provide our Services to companies and other partners. In some cases, the employer pays for the Service and the right person need to be identified so that the employee benefit can be properly targeted. In this case, your employer will tell us, with your permission, your name, phone number, email address, and the name of your employer. We may also obtain the same minimum and relevant personal information from other partners for the purpose of targeting discounts and special services to the right person.

3. The purposes for which we use the information

We mainly use the data you provide to offer you our services. Additionally, we always want to identify the best mobility option for you and we constantly want to improve our services so that you get the most value from them at any given moment. For this purpose, we need to collect personal data. We have noted above the specific purposes for which we collected certain types of personal data. However, as we continue improving and developing the services, we may come up with new innovative features that potentially also rely on your personal data. 

In order to ensure that we can continue innovating, we would also like you to know and accept that we can collect personal data for the general purposes of i) providing you with our services, ii) making it possible for you to set up an account with us, iii) enabling us to develop, improve and manage our services by better understanding our customers, iv) keeping you informed about our services v) fraud detection and prevention and vi) contacting you in specific cases related to issues you might be experiencing with our services vii) for historical or scientific research or for statistical purposes. Occasionally, we may assign a scientific or statistical research task to a third party we consider reliable. In these cases, it is possible that the researcher obtains your personal data also from other sources.

It is also possible that we are able to further simplify your life by providing you with personalised marketing or recommendations, unless you let us know that you do not wish to receive such marketing.  If you explicitly agree, by opt-in consent, to receive such marketing, it is also possible that your data is used for the purpose of providing you with offers from our partners that suit you and your needs. If, at any time, you prefer not to receive marketing communications from us, you may unsubscribe by clicking the link provided in our emails, or you may contact our Customer Care.

4. Storing of your personal data 

As most other service providers, we store and process your personal data (if any) on third party servers (”Hosting Providers”). The Hosting Providers we have chosen enable us to keep your data mostly in the European Economic Area and/or Switzerland. If we transfer some personal data outside of European Economic Area and/or Switzerland, we ensure that such transfer is effected on a manner which is compliant with Data Protection Law. Those third party servers are protected by physical as well as technological security devices. By using our services, you give us consent to store, process and transfer your personal data (if any) outside of your country of residence to the countries where our Hosting Providers are located. Where we transfer your personal data overseas, we will comply with the provisions set out in section 5 below.  Your personal data is stored for no longer than is necessary for the purposes for which the personal data is processed or such longer period as is required or permitted by applicable laws.

Your profile and the related data will be removed immediately when you remove your profile from our service. All other personal data will be anonymised or removed permanently, regularly at least once a year, unless applicable laws, for example consumer protection, action times or accounting rules, otherwise necessitates such personal data to be held for longer. Such data retention obligations typically last for 3-10 years. 

If we store some of the data for statistical or research purposes, we always ensure the anonymisation of data.

5. Disclosure of the information to third parties 

We utilize third parties to provide payment and related administration services (“Payment Providers”). As noted above, we can share your payment method details with these Payment Providers so that they can process your payment. This processing may take place in the United States, and by sharing your payment details with us you accept to the transfer of such details to the United States. These third parties may also collect data from you, which they will process in accordance with their own processes and privacy policies.

Our products and services may be provided using resources and servers located in various countries around the world. Therefore your personal data may be transferred across international borders outside the country where you use our services or where you first provided your personal data, including to countries outside the European Economic Area (EEA) and/or Switzerland.In such cases we ensure that there is a legal basis for such a transfer and that adequate protection for your personal data is provided as required by applicable law, for example, by using standard contractual clauses for the transfer of personal data of the European Parliament and of the Council (where necessary) and by requiring the use of other appropriate technical and organisational information security measures, in each case to ensure that your personal data continues to receive a standard of protection which is at least comparable to that provided in the country in which you use our services or where you first provided your personal data.

Apart from Hosting Providers and Payment Providers, we may disclose your personal data to third parties provided: 

  • the disclosure is reasonably necessary to provide you with the services. We could, for example, share your name and contact details with a service provider that you want to use so that the service provider knows you will be using their services and will be able to contact you directly, for example in case there is a problem in the service;
  • the disclosure is reasonably necessary for the purpose of development and maintenance of our services. We may, for example, use third party consultants to help us develop our services. Whenever we use third party consultants, we will impose contractual commitments on them to comply with this Privacy Policy and the data used for analytical and personalisation purposes is, as far as possible, anonymised and pseudonymised;
  • the disclosure is reasonably necessary for us to be able to enforce our Terms of Service;
  • the disclosure is reasonably necessary for the purposes of detecting and preventing fraud or security breaches; or
  • the disclosure is made at the request of a public authority;
  • the disclosure is made in accordance with applicable law. 

If we decide to sell, buy, merge or otherwise reorganise our businesses in certain countries, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.

We may share non-personal data or anonymised statistical data to selected third parties. 

6. Your rights 

When you provide personal data to us you have certain rights under applicable data protection laws. You may have the right to obtain a confirmation that we are processing your personal data and the right to know what information we have collected about you. You may also have the right to have incorrect, incomplete, inaccurate, unnecessary or outdated data removed or rectified and, under certain conditions, to restrict or object the use of personal data according to applicable legislation. You may also have the right to a request to have your data moved to another system if it is technically feasible and, under certain conditions, to withdraw your previously given consent to processing your personal data. We want to make this process as simple as possible. Therefore, some of the information you provide will be accessible via the services themselves and you can view, edit or delete that information at any time. 

Some of the information is not available via the services. In case of such information, you can request to review, amend or delete it or to withdraw your consent (where consent is required by applicable data protection laws), by sending a written request to our address stated below, together with documentation that enables us to verify your identity. We will handle your request with all respect and without undue delay.

MaaS Global Ltd.
c/o Data Protection Officer
John Stenbergin ranta 2
00530 HELSINKI
Finland

privacy@maas.global

Please note that in certain situations, in particular if you request that we delete and no longer process your personal data or restrict their processing in an essential way, we may be unable to continue the provision of our services to you. In such circumstances, we will notify you before completing the processing of your request.  

However, we cannot delete permanently the personal data we are required to store longer by law. 

Please note that withdrawing your consent (where consent is required by applicable data protection laws), may not affect our right to continue to collect, use or disclose your personal data where such collection, use and disclosure without consent is permitted or required under applicable laws.

If you consider that the rights given to you under the data protection regulation have been infringed and we have not corrected our actions despite your request, you may contact the supervisory authority in the EU Member State of your habitual residence or the Federal Data Protection and Information Commissioner in Switzerland.

7. Cookies 

We use (with your consent, where required by applicable law) cookies, web beacons and other similar technologies to operate and improve our website and offering. Cookies are used in order to facilitate your use of our website. They are small text files that are stored on your computer or mobile device that register how you use the website and our services, and your preferences. It carries information from one session to the next so that you do not have to start over each time you come back to the site. 

Our domains may also include third party elements that set cookies on behalf of a third party, for example relating to third party social network and web analytics providers.

You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit our site and some services and functionalities may not work.

8. Data Security

Privacy and security are key considerations in the creation and delivery of our services. We have assigned specific responsibilities to address privacy and security related matters. We enforce our internal policies and guidelines through an appropriate selection of activities, including proactive and reactive risk management, security and privacy engineering, training and assessments. We have in place appropriate administrative, physical and technical measures to safeguard your personal data from unauthorised access, collection use, disclosure, copying, modification, disposal or similar risks. We use reasonable endeavours to to ensure the ongoing confidentiality, integrity, availability and resilience of processing our services. Also, we limit access to our data bases containing personal data to authorised persons having a justified need to access such information.

As of the Effective Date of this Privacy Policy, we have the following data security measures in place.

  • We use industry standard security mechanisms to protect the collected personal data. All collected personal data is stored in protected databases located behind a firewall and with both physical and software-based access controls provided by our Hosting Provider. 
  • Our payment providers are PCI-DSS Level 1 certified. 
  • We pseudonymise and encrypt the personal data;
  • We have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

As we innovate and develop our services, we can introduce new or alternative data security measures to protect your data. 

In the event of a physical or technical incident, MaaS Global will use reasonable endeavours to  restore the availability and access to the personal data.

9. General information

The name of the data controller (or “data intermediary’’) is MaaS Global Ltd, business id: 2685777-4, with a registered address at 

John Stenbergin ranta 2 
00530 HELSINKI
Finland

Contact person: c/o Data Protection Officer

The name of the personal data register is the MaaS Global Whim User Registry. 

10. MaaS Global Group

MaaS Global is a global group of companies organized under the parent company MaaS Global Ltd. incorporated in Finland. For the purpose of delivering and developing our services and for management our global operations, personal data may be transferred within and used by MaaS Global group companies for the group’s internal business purposes. MaaS Global group companies may further transfer such personal data to be processed by third party service providers. Where we transfer your personal data overseas, we will comply with the provisions set out in section 5 above. 

You can find the current list of group companies and contact details from our website and it is also available upon request.

11. Changes to this Privacy Policy

Note also that as we want to ensure that this Privacy Policy properly reflects the way we handle your data, we need to reserve the right to make changes to it at our sole discretion whenever it is necessary. Although we will use reasonable efforts to notify you of all substantial changes to this Privacy Policy, you should also do your best to review this document on a regular basis. Notwithstanding the foregoing, we will obtain your consent to such changes where required to do so by applicable data protection laws.