Processing of personal data

Personal data is data that can be linked to you as an individual. This may include data such as your name, telephone number, or gender.

This statement gives you information about UIP Oslo Bysykkel AS (hereafter "UIP") and its processing of personal data in connection with the use of UIP's city bicycle services.

The Privacy Statement provides you with information about which personal data we collect, why we process your personal data, and your rights relating to the processing of your personal data.

Data Controller

UIP Oslo Bysykkel AS (org. No .: 914 253 721) operates and maintains Oslo Bysykkel, and is responsible for the processing of personal data in connection with the city bicycle services. As data controller, UIP is therefore responsible for the processing of your personal data. The person responsible for the data controller determines the purpose of the processing of the personal data, as well as how the data is used.

Our contact information is:

Address: Strandgata 19, 0152 Oslo

Email: post@oslobysykkel.no

Phone: +47 915 89 700

UIP has a privacy representative who can be contacted at dpo@urbansharing.com

If you have any questions related to UIP's processing of your Personal Information or this Privacy Policy, please contact our Privacy Officer as described above.

Which personal data we process, our purposes for data processing, and the legal bases under which we process data

Information about the use of the services which comes from legitimate interest includes:

  • which subscription a user current holds and has held in the past, including timing and payment method;
  • the trips a user has taken, including start and end times, as well as  start and end stations;
  • a phone's position when the app is active to determine that a user is near a station;
  • a scooter’s position along the way, which allows us to locate scooters that are not returned, or that are registered for Ruter;
  • the version of the app and a mobile phone's operating system for each time a bike is retrieved, as well as when a user logs in to our app or website; and
  • which language a user has on their mobile phone so we can talk to them in the same language.

The basis of the processing of the above information is in UIP's legitimate interest in providing its services and operating those services in the best possible manner. This includes identifying a user, giving the user access to scooters, communicating with the user on the platform, and notifying the user of their legal term expiration.

Information a user can choose to share with us, which is justified by our legitimate interests and which may be withdrawn at any time, includes:

  • the name used when communicating with a user;
  • the email address used to send a user messages;
  • a user’s postal code, which we use to analyze where people live, and compare it to where and when they ride;
  • a user’s gender and birth year, which are used to analyze which population groups use our service;
  • A phone's position during a trip, which is used to give a user historical maps, help a user find a better position when ending a journey, and provide a general overview of where people cycle.

We ask a user for consent to send messages by push notification, SMS, or email about the service or other services. Messages can include information such as when a season opens, the opening of new docks, urban scooter facilities in other cities, or information related to our partners.

We provide customized information to users only if they give consent. We use segmented information - such as a user’s postal code - to provide users with relevant information about our services. A user can quickly turn off specialized content in their user profile.

We retain usage history for a temporary period of time in order to safeguard our rights and obligations under contract, while keeping to GDPR standards of data minimizations. Among other things, we will do this to see where the need for scooters is greatest. We provide this data  to users who want to have an overview of which bike trips they have taken over time. UIP also uses this history to improve its services.

We use data for system testing, quality assurance, troubleshooting and other processing needed to improve our services. It is in UIP's legitimate interest in improving its services, as well as delivering flawless services to its users. Users can choose whether they want to share error diagnostics and usage data with UIP in their user profile settings.

We share data in order to comply with legal obligations that UIP is subject to, as well as orders from public authorities, which can include requirements for bookkeeping.

We use data in order to safeguard UIP's rights, including to determine, enforce or defend a legal claim in respect of lost or damaged bicycles. We also use data to safeguard UIP's legitimate interests, such as warnings and exclusions in the event of late delivery of bicycles, or other rights under contract with UIP.

On the iPhone users can choose to store bike rides as training sessions in the Apple Health app. To calculate calorie burn, we process heart rate and weight in our own app. This data never leaves the user’s phone and is not used for data analysis or other purposes beyond the user’s personal history. A user can withdraw their consent for the processing of their health data at any time.

In order to fulfill our contract with a user, we need certain pieces of information, such as a credit card number and telephone number. We cannot meet an agreement with the user without this data.

Who has access to your personal information

Internal access

We only give access to  employees who need personal data to perform their duties.  This mainly means our customer service team, as well as employees who follow up any disputes related to the services. A very limited number of our employees have access to our entire customer register to ensure its continuous operation.

External access

UIP may disclose personal data to third parties if there is a legal basis for extradition. For example, UIP may disclose personal information to public authorities in order to comply with statutory requirements or orders (such as tax authorities or the police), or to safeguard our rights in connection with a dispute with a user (such as to the Consumer Disputes Committee).

We also share aggregated and anonymised data about our users and their use of the service - which cannot identify them as an individual - with research projects and institutions for statistical and research purposes. These research projects are available to the client, as well as open to the public. We also share personal information with partners who give our users membership benefits - such as OBOS. Delivery of this data is dependent on a user’s consent.

UIP uses external data processors to collect, store or otherwise process personal information on our behalf, such as in connection with our IT systems, payment services, email broadcasts, and chat services.  The relationship with these suppliers is regulated by a data processing agreement (DPA), which, among other things, ensures information security for the personal information of our users. A list of providers with whom we have a DPA with can be provided upon request.

All processing of personal information about our users takes place within the EU / EEA area. If a users personal information is subject to processing or storage outside of the EU / EEA, UIP will ensure that your personal data is subject to adequate security guarantees, including through the use of EU standard terms of such transfer, transfer to companies subject to Privacy Shield certification, or by transfer to land which is pre-approved by the EU Commission.

Your rights

A user has the right to demand access, correction or deletion of the personal data we process about them if the terms of this are met. They also have the right to demand limited processing, correct objection to the processing and, in some cases, the right to demand data portability. If the processing is based on a user’s consent, they may withdraw their consent at any time.

A user has access at all times to a list of consents and data we have stored about them in their user profile. There they can correct or delete data, as well as withdraw consent. If they have any questions about their rights, or wish to exercise their rights, they can contact the UIP or our Data Privacy Officer (DPO) via contact information provided on our website. The user also has the right to complain about our processing of their personal data to Datatilsynet.

Retention of personal information

Data Retention

UIP stores your personal information as long as it is necessary to achieve the purposes for which the personal information was collected as defined in this statement. This means that we keep the personal data as long as you are registered with us, unless otherwise expressly stated.

Deletion

If you delete your account at Oslo Bysykkel, you immediately lose access to the service, and our client managers will no longer be able to see you. For operational reasons, however, it may take up to 3 months before all information about you is gone from UIP's systems.

However, continued storage of your personal data may be necessary as a result of UIP's need to:

  • establish, enforce or defend a legal claim, including to safeguard its interests in a dispute with you, for example. lost or damaged bike; as well as
  • fulfill statutory requirements, including requirements for continued storage under the accounting legislation. This applies, among other things, to payment and transaction history, which UIP is obliged to keep for up to 5 years according to bokføringsloven.

How do we protect your personal information

UIP takes its users 'privacy seriously, and has taken appropriate technical and organizational security measures to protect employees' personal information against violations of personal data security, unauthorized access to, and disclosure of personal information, including:

  • Communication with and between our services is encrypted.
  • Stored data is encrypted and is not available to our IT infrastructure subcontractors.
  • Data centers where your information is stored are physically secured against intrusion.
  • All reading of the information about you is logged so that this is verifiable.
  • Access internally occurs with updated software, and with 2-factor authentication at login.
  • Information on payments and payment cards is stored in secure PCI-certified systems by our payment provider PayEx.

Links to other sites

From time to time there may be links on UIP's website to other websites, including web pages operated by our partners. When you follow one of these links, you leave our website. These third-party websites have their own privacy statements that determine how the web pages are operated, as well as how personal information is collected and processed. We recommend that you familiarize yourself with the third-party website's own privacy statements and terms of use when you visit and use these websites.

Amendments

From time to time, UIP will make changes to this privacy statement. An updated version of UIP's privacy statement will be available at all times in the app and on our website. You are encouraged to visit this page regularly to keep up to date with our current privacy statement. If UIP makes changes to the processing of personal data, this statement will be updated. You will be notified of these changes via our app, on the website and / or through the contact information you have provided.