Citymapper's privacy policy

This privacy policy takes effect on 10 February 2020. It describes what information we hold, why we hold it and how we use it. This policy applies to anyone who uses our website, www.citymapper.com (“Site”), our App (“Citymapper App”) and our transportation pass (“CM Pass”). We'll refer to the Site and Citymapper App together as “The App”. In this Privacy Policy, references to the App include both free and paid (Citymapper Club) versions of the App.

We are Citymapper Limited (“we”, “our”, “us”), a company registered in the UK. We're the data controller as defined by the General Data Protection Regulation and are registered with the Information Commissioner's Office (the UK data protection authority) under number ZA017660. If you have any questions about this policy or want to contact our Data Protection Officer, please contact us through the App or send an email to support@citymapper.com.

What information do we hold and why?

There are three types of information we process: (1) information you provide, (2) information created when you use features in the App or CM Pass and (3) information from other sources.

  1. Information you provide

    When you use our App or CM Pass, you might provide us with (a) personal information; (b) places and preferences; and (c) direct communications.

    1. Personal Information

      If you create a Citymapper account, you provide us with your name and email address, which we use to ensure your saved places and other personalisation features are synced across your multiple devices. When you log in using Facebook or Google, we receive your name and email address from them.

      When you book transportation within the App without opening another app (“Native Booking”), you provide us with your name, your phone number (this enables you to communicate with your driver), your email address (to provide customer service and help ensure the safety of the transport services), and your payment details.

      If you sign up for CM Pass, you provide us with your name, email address, home address, mobile phone number and date of birth so that we can verify your identity. If we are not able to verify your identity using this initial check, we will ask you to provide additional information (such as a copy of your passport ID page or driving licence, proof of address or your photograph (“Additional ID Documents”). We never use this information for any purpose other than verifying your identity so we can provide you with CM Pass. You also provide us with your payment details to pay for your subscription and other fees as specified in the Citymapper Pass Terms.

    2. Places and Preferences

      You may choose to provide us with information on your places and preferences, such as Home, Work, Saved Places, and other travel preferences. We use this information to develop personalised journey-planning services. We also analyse this data in aggregate to improve the App (for example, by ranking certain journey results more highly than others).

    3. Direct Communications

      When you communicate with us (for example when you respond to in-App survey questions, report problems, raise queries etc.) we may receive information about the type of phone you're using, your service provider and, if you've enabled the location permissions in your device, the latitude and longitude of your location when you contact us. We use this information to fix problems in the App, with Native Booking or with CM Pass, to reply to your communications and to help keep you safe.

  2. Information created when you use our App or CM Pass

    The following are the types of information created when you use our App or CM Pass. We associate this information with an installation ID number that is randomly generated each time you install the Citymapper App. We use this installation ID to pseudonymise the data we collect from you. We do not access any permanent device ID numbers.

    1. Location Information

      We use the location data described in this “Location Information” section to improve results in the App and for the purposes identified below.

      Users of the Citymapper App: if you've enabled your device's location services we may collect and use your start location information when you open the App. If you disable your device's location services we collect only the start and end points that you search manually.

      When you tap ‘GO’ in the Citymapper App, we collect your location information throughout your journey. We use this data to provide on-trip support, such as alerting you when to get off a bus.

      Native Booking: If you make a Native Booking, we collect your location information when the Citymapper App is running both in the foreground and background of your device during your journey. Knowing your location during your ride enables on-trip support and passenger and driver safety.

      In addition to your location data, we store your booking details, your driver and vehicle information, the date and time of your journey, the amount charged, your pick-up and drop-off location, cancellations and no shows. We use this information for operational reasons, such as providing customer support.

      CM Pass Users: If you are a CM Pass user, we will collect your location information as described above if you tap ‘GO’ in the Citymapper App while using your CM Pass.

    2. Device Information

      We collect information about the devices you use to access our App, including the type of computer or device you use, the installation ID of the App on your device, the hardware model, operating system and versions, software, file names and versions, the preferred language, time zone settings, and device motion information. This information is necessary for us to diagnose bugs and improve the App. We do not collect any permanent device ID numbers.

    3. Log and Usage Information

      Each time you open the App, we collect information about how and when you use it (such as the time and date, searches in the App features and journey results you select, pages visited, app crashes and other system activity). We use this information to improve our App in multiple ways. For example, fixing bugs preventing future crashes and working out which features our users find most helpful.

    4. Cookies

      The App uses cookies to store certain information. Cookies are pieces of information that a website or app transfers to your hard drive or mobile device to store and sometimes track information about you. Although they identify a user's device, cookies do not reveal the name, email address or other obvious identifiers of users.

      We try to make your experience of the App simple and meaningful. When you visit our App, our server sends a cookie to your computer or mobile device (depending on how you access the site or App). Cookies are small pieces of information which are issued to your computer when you visit a website and which store and sometimes track information about your use of the site. A number of cookies we use last only for the duration of your web session and expire when you close your App. These are known as “session cookies”. Other cookies are used to remember you when you return to the App and will last for longer. These are known as “persistent cookies”.

      We use cookies to:

      • remember that you have visited us before, which allows us to identify the number of unique visitors we receive. This allows us to make sure we have enough capacity for the number of users that we get and to; customise elements of the promotional layout and/or content of the pages of the App; and

      • collect information about how you use the App so that we can improve the App and learn which parts of the App are most useful.

      Some of the cookies used by our App are set by us and some are set by third-party analytics and crash/error-reporting companies as described in this policy.

      Most browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browsers. By blocking or deleting cookies you may not be able to take full advantage of the App's features.

  3. Information from Other Sources

    Citymapper collects the following types of information from other sources.

    1. Payment information

      In order to pay for your CM Pass, Native Bookings, or Citymapper Club, you will need to provide payment information. Apple and Google collect credit or debit card (“Payment Card”) data with respect to in-app purchases of Citymapper Club, and our payment processor collects Payment Card data with respect to CM Pass and Native Booking payments. For CM Pass and Native Bookings, you provide your Payment Card information directly to Stripe, which processes payments on our behalf. Stripe uses this payment information in accordance with its privacy policy. Stripe provides us with some limited data related to you, such as the last four digits of your card number and expiration date, which we use in order to handle operational issues such as subscriber and passenger queries about charges.

    2. Log-in Information

      If you log into your Citymapper account using Facebook or Google we receive your name and email address. We do not collect or use any other information received from those two companies.

    3. Identity verification

      If you sign up for CM Pass, we receive a due diligence report from third-party agencies that provide identity verification, in order to confirm your identity. This information is necessary to prevent fraudulent or unauthorised use of our services and to comply with our legal obligations.

    4. Cardholder ID and transaction information for CM Pass

      If you are a CM Pass user, we receive a “Cardholder ID” from the third-party company that issues your CM Pass card. The Cardholder ID is your unique identifier that tells us which CM Pass card has been issued to you. When you use the CM Pass, we also receive your transaction information from this third-party company, including the date, time, amount and the merchant details associated with the transaction. This information is necessary in order to provide the CM Pass service and to comply with our legal obligations.

    5. Driver details

      If you are a driver for a Native Booking Service provider, we receive your name, vehicle information, photograph, phone number, and current location from that Native Booking Service provider. This information facilitates your communication with and pick up of, your assigned passenger and is used to create transaction receipts for passengers.

How we use your information, summarised

In summary, we use the information we collect to:

We work hard to improve the App and add functionality, which we think will make it safer, more fun and more useful. New functionality may involve similar or incidental uses of your data to those set out above. We regularly review the way we use data and will update our privacy policy if anything changes.

What third parties receive your information?

From time to time we may share information with third parties to improve the App and enhance user experience. To the extent possible we pseudonymise (remove information that identifies you) and minimize the data we send to them.

What's our legal basis for processing your information?

We'll only process your personal information where we have a legal basis for doing so. Our legal basis to process your personal data includes processing that is:

What are your rights in relation to personal data we hold about you?

Access

You have a legal right to request access to a copy of the personal information we hold about you. In order to do this, contact us at support@citymapper.com. Please use the subject line “DSAR” and include details about what personal information you're looking for. You will need to have created an account in order for us to provide you with your information because without an account, we are not able to connect your Installation ID to a verifiable email address. You must have access to the email address that you used when you created the account so that we can verify your identity.

Deletion

We store your personal information for as long as is necessary to provide our services and products. You have the right to request we delete your personal information if you believe that we no longer need it for the purposes for which it was provided, you wish to withdraw your consent (and we have no other lawful basis to use the data), or we are not using your information in a lawful matter. For legal reasons, we may not always be able to delete your information.

If you ask us to delete your personal information by emailing us at support@citymapper.com, please use the subject line “Account Deletion”.

Note that residual copies may take longer to be removed from our backup systems which cannot be immediately overwritten. Where residual copies are still kept on our back-up systems, they are merely held on the system and are not used for any other purpose. We will keep a record of your request in order to ensure compliance with legal obligations.

We will keep a record of your request in order to ensure compliance with legal obligations.

Marketing opt-out

You have the right at any time to prevent the use of your personal information for direct marketing purposes. If you no longer want to receive marketing messages from us, please let us know by writing to us at support@citymapper.com or clicking on the unsubscribe button at the bottom of marketing emails and you will be unsubscribed accordingly. Please note that sometimes it can take a short amount of time to refresh our records for these purposes. Also, we may still send you non-promotional, transactional messages, or information about your account.

Notifications

We may send you information we think you may find useful (e.g., tube line and subway disruptions and alerts about CM Pass relevant to you) or which you have requested from us by push notification and/or by email (if provided). You can opt-out of receiving further notifications or emails if you wish.

How we keep your information secure

We place great importance on the security of all information associated with our users. We use measures such as encryption, pseudonymisation, information access controls, and firewalls.

Keep in mind that submission of information over the internet and mobile networks is never entirely secure. We cannot guarantee the security of information you submit via the App whilst it is in transit over the internet or mobile networks and any such submission is at your own risk.

How long we keep your information

By providing you with products or services, we create records that contain your information, such as customer account records, payment and activity records. We manage our records to help us to serve our users well and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and are evidence of our business activities.

How long we keep records depends on the type of record, the nature of the activity, product or service and the applicable legal or regulatory requirements. How long we retain your information may change based on business or legal and regulatory requirements. If you are a CM Pass user, we keep most of your data as long as you're using Pass and for six years after that to comply with the law and if we face a legal challenge. In some circumstances, we may keep data longer if we need to (because it's in our legitimate interest and/or if the law requires).

What countries will your personal information be sent to?

Information that you submit via the App is sent to and stored on secure servers located in the United Kingdom, other European Economic Area countries and in the United States. Information submitted by you may be transferred by us to our other offices and/or to the third parties mentioned in the circumstances described above, which may be situated outside the European Economic Area (for instance in the United States).

Do you collect children's information?

We do not knowingly collect personal information from children under the age of 13. If you're under the age of 13, please do not submit any personal information through the App or email. We encourage parents and legal guardians to monitor their children's internet use and to help enforce our privacy policy by instructing their children never to provide personal information on our website without their permission. If you have reason to believe that a child under the age of 13 has provided personal information to us, please contact us as specified below, and we will work to delete that information from our databases.

How will you know about changes to our privacy policy?

We may revise this privacy policy from time to time. Any changes and additions to this privacy policy will be posted in the App and are effective from the date on which they are posted. Please review this privacy notice from time to time to check whether we have made any changes to the way in which we use your personal data. This privacy policy was last updated on 10 February 2020.

What if you have a complaint?

We work hard to handle your information responsibly. If you're unhappy about the way we do this, please contact our Data Protection Officer by email to support@citymapper.com.

However, you also have the right to lodge a complaint about the data processing activities carried out by Citymapper with our lead supervisory authority, the UK Information Commissioner's Office. Our ICO registration number is ZA017660.

How to get in touch with us

Please submit any questions, concerns or comments you have about this privacy policy or any requests concerning your personal data by email to our Data Protection Officer at support@citymapper.com. You can also reach us at Data Protection Officer, Citymapper Limited, 1--2 Hatfields, London, SE1 9PG, United Kingdom.