This privacy policy takes effect on 15 July 2019. It describes in detail what information we collect from you, on what basis we collect it, how we use it, and rights you have to control how we use it. In this latest version of the privacy policy, we have made changes to reflect the end of our Citymapper Ride service offering.

Any transportation that you can book by clicking through the Citymapper App to open a third-party app (for example, Kapten or Uber) shall be referred to as a "Deeplink Affiliate Ride". Any transportation that you can book within the Citymapper App without opening another app shall be referred to as a "Native Booking Affiliate Ride".

This policy applies to anyone who uses our website, ("Site"), our app ("Citymapper App") and our transportation pass ("CM Pass"). We'll refer to the Site and the Citymapper App together as "the App".

"We", Citymapper Limited, a company registered in the UK, are the data controller as defined by the General Data Protection Regulation.


There are three categories of information we collect: (1) information you provide, (2) information created when you use our Native Booking Affiliate Ride or CM Pass; and (3) information from other sources.

  1. Information you provide

    When you use our App, a Native Booking Affiliate Ride or CM Pass, you might provide us with (a) personal information; (b) places and preferences; and (c) direct communications.

    1. Personal Information

      If you're a user of the Citymapper App and you choose to create a Citymapper account, you provide us with your name and email address, which we use to ensure your saved places and other personalisation features are synced across your multiple devices. When you log in using Facebook or Google, we do not send them any data about you, and we do not collect any information from them.

      If you're a Native Booking Affiliate Ride passenger, you provide us with your name, your phone number (this enables you to communicate with your driver) and your email address (to provide customer service and help ensure the safety of the transport services). You must also provide us with your payment details.

      If you sign up for a CM Pass, you provide us with your name, email address, home address, mobile phone number and date of birth so that we can verify your identity to prevent fraudulent or unauthorised use of our services. If we are not able to verify your identity using this initial check, we will ask you to provide additional information (such as a copy of your passport ID page or driving licence, proof of address or your photograph ("Additional ID Documents")) in order to verify your identity. You are also required to provide payment details to pay for your subscription and other fees as specified in the Citymapper Pass Terms.

    2. Places and Preferences

      Regardless of whether you have a Citymapper account, you may choose to provide us with information on your places and preferences, such as Home, Work, Saved Places, and other travel preferences. We process this information in order to provide you with personalised journey-planning services. We also store and analyse this data in aggregate to improve the Citymapper App (for example, by ranking certain journey results more highly than others).

    3. Direct Communications

      Communications you might send to us include responses to in-App survey questions, reporting a problem, or submitting queries, concerns or comments regarding the App, a Native Booking Affiliate Ride, or CM Pass. These messages to us will also contain details such as the type of phone you're using, your service provider, and if you've enabled the location permissions in your device, the latitude and longitude of your location when you contact us. We process this information in order to fix problems in the App, with Native Booking Affiliate Ride or with CM Pass, to reply to your communications, and to help keep you safe.

  2. Information created when you use our App, Deeplink Affiliate Ride, Native Booking Affiliate Ride or CM Pass

    The following are the types of information created when you use our App, Deeplink Affiliate Ride, Native Booking Affiliate Ride or CM Pass. We associate this information with an installation ID number that is randomly generated each time you install the Citymapper App. We use this installation ID to pseudonymise the data we collect from you, and do not access any permanent device ID numbers.

    1. Location Information

      Users of the Citymapper App: We aggregate and analyse journey start and end points. Assuming you've enabled your device to provide location information and you haven't entered your start point manually, we collect and use your start location information as determined through data such as GPS, mobile phone towers, and WiFi. If you haven't enabled your device to provide location information, you will have to manually enter your start and end points, which is then the location information we collect and use.

      When you tap GO in the Citymapper App, we collect your location information throughout your journey. We use this data to provide on-trip support, such as alerting you when to get off a bus. We also store and analyse this data in aggregate, as we do with the other types of location data described in this "Location Information" section, to improve the journey results we show to all users and to create and evaluate routes for our transportation services.

      Passengers: If you are a passenger of a Native Booking Affiliate Ride, we collect your location information when the Citymapper App is running both in the foreground and background of your device during your journey. Knowing your location during your ride enables on-trip support and passenger and driver safety.

      When you take a Native Booking Affiliate Ride, in addition to your location data, we collect and store your booking details, your driver and vehicle information, the date and time of your journey, the amount charged, your pick up and drop off location, cancellations and no-shows. We store and use this information for operational reasons, such as providing customer support, and to improve services.

      CM Pass Users: If you are a CM Pass user, we will collect your location information as described above if you tap GO in the Citymapper App while using your CM Pass.

    2. Device Information

      We collect information about the devices you use to access our App and to use Deeplink Affiliate ride and Native Booking Affiliate Ride, including the type of computer or device you use, the installation ID of the App on your device, the hardware models, operating systems and versions, software, file names and versions, the preferred languages, time zone settings, and device motion information. This information is necessary for us to diagnose bugs and improve the App.

    3. Log and Usage Information

      Each time you interact with our App, we collect information about how and when you use it, such as the time and date when you opened the App, the searches you make, the features and journey results you click on, pages visited, app crashes and other system activity. We use this information to improve our App in multiple ways. For example, using App crash data, we can fix bugs and prevent future crashes, and by knowing what gets tapped or scrolled most often, we can replace unpopular features with other, more helpful features.

    4. Cookies

      The App uses cookies to store certain information. Cookies are pieces of information that a website or app transfers to your hard drive or mobile device to store and sometimes track information about you. Although they identify a user's device, cookies do not reveal the name, email address or other obvious identifiers of users.

      When you interact with the App, we try to make that experience simple and meaningful. When you visit our App, our server sends a cookie to your computer or mobile device, depending on how you access the site or App. Cookies are small pieces of information which are issued to your computer when you visit a website and which store and sometimes track information about your use of the site. A number of cookies we use last only for the duration of your web session and expire when you close your App. These are known as "session cookies". Other cookies are used to remember you when you return to the App and will last for longer. These are known as "persistent cookies".

      We use cookies to:

      • remember that you have visited us before, which allows us to identify the number of unique visitors we receive. This allows us to make sure we have enough capacity for the number of users that we get; customise elements of the promotional layout and/or content of the pages of the App; and

      • collect information about how you use the App so that we can improve the App and learn which parts of the App are most popular to visitors.

      Some of the cookies used by our App are set by us, and some are set by the third-party analytics and crash/error-reporting companies we've described in this policy who are acting on our instructions. For example, Mixpanel tracks what users do in the Citymapper App so we can improve the design and functionality.

      Most browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting which includes additional useful information on cookies and how to block cookies using different types of browsers. By blocking or deleting cookies you may not be able to take full advantage of the App's features.

  3. Information from Other Sources

    Citymapper collects the following types of information from other sources.

    1. Payment information

      In order to pay for your CM Pass or your ride on a Native Booking Affiliate Ride, you will need to provide payment information to our third-party service provider, Stripe, such as your credit card details. They provide us only with the last four digits of your card number and expiration date, which we require in order to handle operational issues such as subscriber and passenger queries about charges.

    2. Log-in Information

      If you log into your Citymapper account using Facebook or Google, those companies provide us with your name and email address, which are necessary for us to log you in to the Citymapper App. We do not collect or use any other information received from those two companies.

    3. Identity verification

      If you sign up for a CM Pass, we receive a due diligence report from third-party agencies that provide identity verification, in order to confirm your identity. This information is necessary to prevent fraudulent or unauthorised use of our services and to comply with relevant financial crime laws.

    4. Cardholder ID and transaction information for CM Pass

      If you are a CM Pass user, we receive a "Cardholder ID" from the third-party company that issues your CM Pass card. The Cardholder ID is your unique identifier that allows us to know which CM Pass card has been issued to you. When you use the CM Pass, we also receive your transaction information from this third-party company, including the date, time, amount, and merchant details associated with the transaction.

    5. Driver details

      If you are a driver for a Native Booking Affiliate Ride provider, we receive your name, vehicle information, photograph, phone number, and current location from that Native Booking Affiliate Ride provider. This information facilitates your communication with, and pick up of, your assigned passenger and is used to create transaction receipts for passengers.


In summary, we use the information we collect to:

We work hard to improve the App and add functionality, which we think will make it safer, more fun and more useful for our users. New functionality may involve similar or incidental uses of your data to those set out above. We regularly review the way we use data, and will update our privacy policy to reflect these improvements to the App.


To the extent we share information with third parties, we do so to enhance your experience with the App, and we pseudonymise and minimize the data we send to them.


We'll only process your personal information where we have a legal basis for doing so. Our legal basis to process your personal data includes processing that is:



You have a legal right under the GDPR to request access to a copy of the personal information about you held by us. In order to do this, contact us at Please use the subject line "DSAR" and include details about what personal information you're looking for. You will need to have created an account in order for us to provide you with your information because without an account, we are not able to connect your Installation ID to a verifiable email address.


Subject to any legal obligations to keep your information longer, we store your personal information for as long as is necessary to provide our services and products, or until you ask us to delete it, whichever comes first.

If you ask us to delete your personal information by emailing us at, please use the subject line "Account Deletion."

Note that residual copies may take longer to be removed from our backup systems. We will keep a record of your request in order to ensure compliance with legal obligations.

Marketing opt-out

You have the right at any time to prevent the use of your personal information for direct marketing purposes. If you no longer want to receive marketing messages from us, please let us know by writing to us at or clicking on the unsubscribe button at the bottom of marketing emails, and you will be unsubscribed accordingly. Please note that sometimes it can take a short amount of time to refresh our records for these purposes. Also, we may still send you non-promotional, transactional messages, or information about your account.


We may send you information we think you may find useful (e.g., tube line and subway disruptions and alerts about CM Pass relevant to you) or which you have requested from us by push notification and/or by email (if provided), and we or your device's operating system will give you the option to opt-out of receiving further notifications or emails.


We place great importance on the security of all information associated with our users. We use measures such as encryption, pseudonymisation, information access controls, and firewalls.

Keep in mind that submission of information over the internet and mobile networks is never entirely secure. We cannot guarantee the security of information you submit via the App whilst it is in transit over the internet or mobile networks and any such submission is at your own risk.


Information that you submit via the App is sent to and stored on secure servers located in the United Kingdom, other European Economic Area countries and in the United States. Information submitted by you may be transferred by us to our other offices and/or to the third parties mentioned in the circumstances described above, which may be situated outside the European Economic Area (for instance in the United States).


We do not knowingly collect personal information from children under the age of 13. If you're under the age of 13, please do not submit any personal information through the App or email. We encourage parents and legal guardians to monitor their children's internet use and to help enforce our privacy policy by instructing their children never to provide personal information on our website without their permission. If you have reason to believe that a child under the age of 13 has provided personal information to us, please contact us as specified below, and we will work to delete that information from our databases.


We may revise this privacy policy from time to time. Any changes and additions to this privacy policy will be posted in the App and are effective from the date on which they are posted. Please review this privacy notice from time to time to check whether we have made any changes to the way in which we use your personal data. This privacy policy was last updated on 15 July 2019.


We work hard to handle your information responsibly. If you're unhappy about the way we do this, please contact our Data Protection Officer by email to

However, you also have the right to lodge a complaint about the data processing activities carried out by Citymapper with our lead supervisory authority, the UK Information Commissioner's Office. Our ICO registration number is ZA017660.


Please submit any questions, concerns or comments you have about this privacy policy or any requests concerning your personal data by email to our Data Protection Officer at You can also reach us at Data Protection Officer, Citymapper Limited, Cargo Works, 1-2 Hatfields, London, SE1 9PG, United Kingdom.