Last updated 10.4.2019
1. Lawful grounds for data processing
We believe in transparency and informed consent when you start to use Whim app. In addition to consent, processing your personal data is necessary for the performance of our contract, based on customer relationship, and in order to provide our services. Sometimes the processing is necessary for the purposes of legitimate interests pursued by the MaaS Global or a third party interest. This includes fraud detection and prevention as well as for various development and analytics purposes. That is why we want to provide you with full visibility to the types of personal data we collect from you directly and through your use of the Services.
The personal information we collect, store and process will depend on the Services and Content you use.
2. The type of information we collect
Information collected directly from you
Basic personal details. When you register as a user, we ask you to provide your telephone number. The telephone number will act as your account ID and can be used for communication with you in accordance with the applicable laws.
Additional personal details. When you subscribe an automatically renewed periodic Plan or make a purchase using the pay-as-you-go model, we will also ask you for your name, email address and street address. We may also ask information relating to your devices, home country, language, credit card details and other payment details. This information is needed to ensure we can process your payment. We also use third party payment processors who will request, and process details related to your chosen payment method. This payment information will be processed directly by the third party and we will not store that data. We can also implement various third-party log-in systems, such as Facebook login, that allow you to provide some of your personal details directly from the third-party service. Furthermore, there will be a possibility to personalise your profile with your photo.
Verification data. Some parts of the services require us to perform additional verifications, such as verifying your place of residence or that you are licensed to drive, either automatically or manually. In order to perform these additional verifications, we may request you to provide additional details such as, but not necessarily limited to, your personal identity number, your photo or your driver’s license details.
Information collected through your use of the services
When you use the services, we collect information that helps us better provide the services to you. This information includes the following:
Your transactions with us. We maintain records of your purchases, downloads, the content you have provided us with, your requests, agreements between you and MaaS Global, the services provided to you, your delivery details and other interactions with us. We may, in accordance with applicable law, record your communication with our customer care or with other such contact points.
Positioning and location data. Location-based services establish location through the use of satellite, mobile, Wi-Fi or other network based positioning methods. These technologies may involve exchanging your location data and unique device and mobile, Wi-Fi or other network related identifiers with MaaS Global. Our services may operate on multiple device platforms, applications and services which may also collect your location data. We do not use this information to identify you personally without your consent. When you use our location based services and features, for example location based search, navigation and routing, or request for map data, your location data is sent to MaaS Global to serve you with the right content, which may also include and promote location-specific services.
Travel data. We store information about your trips. This includes the start and end points of the trip, the start and end times of the trip, the method of travel, and the cost. This information is associated with your unique user identifier. This information is vital for the functioning of the service, as it allows us to provide the service and to ensure the trip provider is compensated for the trip.
Favourites. Our service allows you to store favourite points on a map. This allows us to customize our service offerings for your use, and make it easier for you to travel to and from your favourite locations regularly.
Calendar data. If you wish, you can grant our service access to your calendar. This allows you to request additional services such as travel reminders, travel plans and other functionality.
Our application is in frequent contact with our service, to provide door-to-door travel capabilities, guidance and booking services, for example to check for updates or to send us information relating to service usage. Additionally, we may invite you to join voluntary product and service improvement, campaigns or research programs where detailed information is collected.
Whim services are typically intended for general audiences. MaaS Global does not knowingly collect personal data of children. Parents can give or cancel their consent to use the Service and process the personal data by contacting Whim Customer Care.
Information collected by third-party
We also provide our Services to companies and other partners. In some cases, the employer pays for the Service and the right person need to be identified so that the employee benefit can be properly targeted. In this case, your employer will tell us, with your permission, your name, phone number, email address, and the name of your employer. We may also obtain the same minimum and relevant personal information from other partners for the purpose of targeting discounts and special services to the right person.
3. The purposes for which we use the information
We mainly use the data you provide to offer you our service. Additionally, we always want to identify the best mobility option for you and we constantly want to improve our services so that you get the most value from them at any given moment. For this purpose, we need to collect personal data. We have noted above the specific purposes for which we collected certain types of personal data. However, as we continue improving and developing the services, we may come up with new innovative features that potentially also rely on your personal data.
In order to ensure that we can continue innovating, we would also like you to know and accept that we can collect personal data for the general purposes of i) providing you with our services, ii) making it possible for you to set up an account with us, iii) enabling us to develop, improve and manage our services by better understanding our customers, iv) keeping you informed about our services v) fraud detection and prevention and vi) contacting you in specific cases related to issues you might be experiencing with our services vii) for historical or scientific research or for statistical purposes. Occasionally, we may assign a scientific or statistical research task to a third party we consider reliable. In these cases, it is possible that the researcher obtains your personal data also from other sources.
It is also possible that we are able to further simplify your life by providing you with personalised marketing or recommendations, unless you let us know that you do not wish to receive such marketing. If you explicitly agree, by opt-in consent, it is also possible that your data is used for the purpose of providing you with offers from our partners that suit you and your needs.
4. Storing of your personal data
As most other service providers, we store and process your personal data (if any) on third party servers (” Hosting Providers”). The Hosting Providers we have chosen enable us to keep your data mostly in the European Economic Area. If we transfer some personal data outside of European Economic Area, we ensure that such transfer is effected on a manner which is compliant with Data Protection Law. Those third party servers are protected by physical as well as technological security devices. By using our services, you give us consent to store, process and transfer your personal data (if any) outside of your country of residence to the countries where our Hosting Providers are located. Your personal data is stored for no longer than is necessary for the purposes for which the personal data is processed.
Your profile and the related data will be removed immediately when you remove your profile from our service. All other personal data will be removed permanently at the latest one year after your customer relationship with us ends, unless applicable legislation, relating to for example consumer protection, periods for filing suit or accounting, otherwise necessitates. Such data retention obligations typically last for 3-10 years. If we store some of your personal data longer, for example for statistical or research purposes, we always ensure the anonymisation of data.
5. Disclosure of the information to third parties
We utilize third parties to provide payment and related administration services (“Payment Providers”). As noted above, we can share your payment method details with these Payment Providers so that they can process your payment. This processing may take place in the United States, and by sharing your payment details with us you consent to the transfer of such details to the United States. These third parties can also collect data from you, which they will process in accordance with their own processes and privacy policies.
Our products and services may be provided using resources and servers located in various countries around the world. Therefore your personal data may be transferred across international borders outside the country where you use our services, including to countries outside the European Economic Area (EEA) .In such cases we ensure that there is a legal basis for such a transfer and that adequate protection for your personal data is provided as required by applicable law, for example, by using standard agreements approved by relevant authorities (where necessary) and by requiring the use of other appropriate technical and organisational information security measures.
Apart from Hosting Providers and Payment Providers, we may disclose your personal data to third parties provided:
- the disclosure is reasonably necessary to provide you with the services. We could, for example, share your name and contact details with a service provider that you want to use so that the service provider knows you will be using their services and will be able to contact you directly, for example in case there is a problem in the service;
- the disclosure is reasonably necessary for us to be able to enforce our Terms of Service;
- the disclosure is reasonably necessary for the purposes of detecting and preventing fraud or security breaches; or
- the disclosure is made at the request of a public authority;
- the disclosure is made in accordance with applicable law.
If we decide to sell, buy, merge or otherwise reorganise our businesses in certain countries, this may involve us disclosing personal data to prospective or actual purchasers and their advisers.
We may share non-personal data or anonymised statistical data to selected third parties.
6. Your rights
When you are providing personal data to us you have certain rights. You have the right to obtain a confirmation that we are processing your personal data and the right to know what information we have collected about you. You also have the right to have incorrect, incomplete, inaccurate, unnecessary or outdated data removed or rectified and, under certain conditions, to restrict or object the use of personal data according to applicable legislation. You may also make a request to have your data moved to another system if it is technically feasible and, under certain conditions, to withdraw your previously given consent to processing your personal data. We want to make this process as simple as possible. Therefore, some of the information you provide will be accessible via the services themselves and you can view, edit or delete that information at any time.
Some of the information is not available via the services. In case of such information, you can request to review, amend or delete it by sending a written request to our address stated below, together with documentation that enables us to verify your identity. We will handle your request with all respect and without undue delay.
MaaS Global Ltd.
c/o Data Protection Officer
Please note that in certain situations, in particular if you request that we delete and no longer process your personal data or restrict their processing in an essential way, we may be unable to continue the provision of our services to you. However, we cannot delete permanently the personal data we are required to store longer by law.
If you consider that the rights given to you under the data protection regulation have been infringed and we have not corrected our actions despite your request, you may contact the supervisory authority in the EU Member State of your habitual residence.
Our domains may do also include third party elements that set cookies on behalf of a third party, for example relating to third party social network and web analytics providers.
You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit our site and some services and functionalities may not work.
8. Data Security
Privacy and security are key considerations in the creation and delivery of our services. We have assigned specific responsibilities to address privacy and security related matters. We enforce our internal policies and guidelines through an appropriate selection of activities, including proactive and reactive risk management, security and privacy engineering, training and assessments. We have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing our services. Also, we limit access to our data bases containing personal data to authorised persons having a justified need to access such information.
- We use industry standard security mechanisms to protect the collected personal data. All collected personal data is stored in protected databases located behind a firewall and with both physical and software-based access controls provided by our Hosting Provider.
- Our payment providers are PCI-DSS Level 1 certified.
- We pseudonymise and encrypt the personal data;
- We have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
As we innovate and develop our services, we can introduce new or alternative data security measures to protect your data.
In the event of a physical or technical incident, MaaS Global have the ability to restore the availability and access to the personal data.
9. General information
The name of the data controller is MaaS Global Ltd, business id: 2685777-4, with a registered address at
Contact person: c/o Data Protection Officer
The name of the personal data register is the MaaS Global Whim User Registry.