Updated 5.4.2024

PayiQ takes data protection seriously. We follow the principles included in this data protection policy to protect your privacy. PayiQ on velvollinen noudattamaan EU:n yleistä tietosuoja-asetusta ja lakia sähköisen viestinnän palveluista. PayiQ sitoutuu suojaamaan henkilökohtaisia tietojasi asetuksesta ja laista johtuvien vaatimusten mukaisesti.

We always process your personal data in a reliable way. We are always open about how we process your personal data. We take all reasonable measures to protect your personal data from misuse and to keep it secure. We will inform you who you should contact, should you have questions about how your personal data is processed.

1. Basic information

The controller of the data file is iQ Payments Oy (hereinafter PayiQ).

Business ID: 2564925-2

Osoite: Linnankatu 13a A 18, 20100 Turku

Telephone: +358 10 419 2222 (PayiQ customer service)

The name of the data file is the PayiQ Customer Register.

Contact person for matters related to the processing of personal data: Riikka Pöyry, riikka.poyry@payiq.net

2. Purpose and legal basis of processing personal data

We collect data in order to provide, maintain, protect, develop and improve our service. If you contact us through the feedback channels, we will retain the contact in order to be able to solve any problems you may encounter.

The processing of personal data by PayiQ is based on one of the following legal bases under Article 6 of the EU General Data Protection Regulation (GDPR, 2016/679).

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR 6 art. 1.b).
  • The data subject has given consent to the processing of personal data (GDPR 6 art. 1.a).
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR 6 art. 1.f).

3. Content of the data file

Our application can be used in different ways, and depending on the way of use, we collect different information. By registering a user account, the customer gets access to all its features, but registration is not mandatory. Data types and the purposes for collecting them are listed below.

Necessary data:

  • Email address
    • Functions as the identifier of registered customer, needs to be verified during registration.
    • Used for sending receipts of purchases (optional).
    • Customer service communication.
  • User ID
    • Unique identifier that allows usage of application without registration.
    • Used to enable application functionality, account management, reporting and data analytics.
  • Device ID
    • Used for application functionality to ensure the application and user security through fraud prevention and compliance.
  • Purchase history
    • We are required by law to store transaction history for purchases, so this information is retained even if the user account is deleted.
  • Analytics, diagnostics, and crash logs
    • This data is anonymized and not stored in the customer information.
    • Used for development of the service.

Optional data:

Optional data is any data that we collect either as needed or to enable specific functionality in the application that is not part of the necessary core functionality (i.e., buying tickets). Optional means that the customer can either opt out of giving permission for us to access this data type in the application or can refuse to enter the information.

  • Location
    • Application uses precise or coarse location to enable security features for fraud prevention and compliance and some location-based services.
  • Puhelinnumero
    • Required for the purchase of specific tickets.
  • Address
    • Required for the purchase of specific tickets.
  • Nimi
    • Required for the purchase of specific tickets.
  • SSN
    • Required for the purchase of specific tickets.

4. External APIs and SDKs

PayiQ uses the below mentioned external APIs in the application.

Google

  • Google login
    • We use Google login as an alternative means for customers to register as users and login to our service.
    • Requested user data: email address. This is used as user ID for registration and login purposes.
  • Firebase messaging
    • We use Firebase messaging service to send the customer push notifications on both operating systems (Android and iOS).

Apple

  • Apple login
    • We use Apple login as an alternative means for customers to register as users and login to our service.
    • Requested user data: email address. This is used as user ID for registration and login purposes.

Optional:

Changers

  • GreenImpact feature
    • We use Changers CO2 fit platform and services to measure distances traveled according to the type of mobility and to calculate trips’ CO2 emission savings.
    • Requested user data: background location. Location information is used for recording trips.
    • Users can opt in or out of this feature and define location permission.

5. Regular sources of information

With the consent of the customer, the customer data contained in the data filing system is obtained from the customers themselves.

6. Personal data storage period

The data collected will be stored for as long as the user account created by the customer is valid or for as long as it is necessary due to the nature of the information and due to applicable law, such as the Accounting Act.

7. Regular data disclosure and recipient groups

When required, personal data contained in the data file will be disclosed to external persons or organizations as follows:

  • To payment service partners to deliver the service
  • The feedback received by PayiQ will be forwarded to the parties responsible for making corrections related to the feedback.
  • Within the limits allowed and obligated by the current legislation

8. Transfers of personal data outside the European Economic Area

No data is transferred outside the EEA.

9. Principles of register protection

The information security and confidentiality of personal data will be ensured by appropriate technical and administrative measures in accordance with good data processing practice. All data is encrypted in transit.

The database containing personal data is stored on a virtual server which can be accessed only by designated individuals whose duties require authorized access. The server is protected with an appropriate firewall and technical protection mechanisms. Access to the databases and systems is only possible by means of personal usernames and passwords which are assigned specially for this purpose. In addition, the database and system usage events are registered to the log data in the controller’s IT systems.

The controller’s employees and other individuals are committed to meeting the obligation of secrecy and to maintaining the confidentiality of the information received in connection with the processing of personal data.

10. Rights of the Data Subject

The data subject has the following rights, in accordance with the EU’s GDPR:

  • Right of access: Customer has the right to know what personal data about them is collected. Customer can view the majority of this information in the application settings and purchase history.
  • Right to erasure: Customer has the right to request the erasure of their personal data. Customers can delete their user account directly from the application or request deletion by contacting PayiQ. We are required by law to store transaction history for purchases, so this information is retained even if the user account is deleted.
  • Right to rectification: Customer has the right to request that any inaccurate and incorrect personal data is corrected without unnecessary delay.
  • Right to restriction of processing: Customer has the right to restrict the processing of their personal data if they contest the accuracy of the personal data.
  • Right to data portability: Customer has the right to receive personal data in a structured, generally used, and machine-readable form, and the right to transfer the data to another data controller, provided that the processing is based on consent and the processing is carried out automatically.
  • Right to file a complaint with a supervisory authority: Customer has right to file a complaint with the supervisory authority if they consider that the processing of personal data is in violation of the EU General Data Protection Regulation.

Privacy Policy for Oulu Tickets application GreenImpact feature

  1. Scope

This privacy policy applies to the use of the piggyback app of Oulu Tickets. With regard to the terms used, such as “personal data” or their “processing”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR). This app is published in the Google Play Store and Apple Appstore by iQ Payments Oy, technical partner for the so-called “Changers SDK”, which is necessary for the operation of the app, is Blacksquared GmbH, Berlin.

  1. Provider and contact person

Person responsible for the collection, processing and use of personal data in the context of providing the Changers SDK:

Blacksquared GmbH

Bleibtreustrasse 53

D-10623 Berlin

Managing director: Daniela Schiffer

Local court Charlottenburg HRB 185884 B

VAT-Id. No. DE 282 11 63 39

E-mail: support@changers.com

  1. Collection, processing and use of personal data for the operation of the Changers SDK

3.1 Use of the Changers CO2 fit platform and services

With the use of Changers CO2 fit offers, distances traveled can be recorded according to the type of mobility. These are running, cycling and the use of public transport. Depending on the publisher’s offer, you can use these bonus points to buy vouchers for rewards in the app or participate in raffles. In addition, the participation of users can be linked to individual donation projects or tree planting.

3.2 General explanations

The use of the app is anonymized. No personal data such as name or email need to be stored. The user account is identified via a user ID or UUID in the backend.

Your personal data will not be passed on to third parties. The only exceptions to this are our service and contractual partners who are used in the context of the contractual relationship and companies that serve Blacksquared GmbH as cooperation partners. Since the anonymization of your data represents a processing of your personal data, we would like to obtain your permission with this declaration.

Data processing for other purposes or transfer to third parties, unless explicitly stated in this privacy policy, will not take place without your explicit consent. Something else only applies if we are legally obligated to release data (information to law enforcement agencies and courts; information to public bodies that receive data due to legal regulations, e.g. tax authorities).

3.3 Registration information and other personal data of the users

When you register as a user of the Piggyback App, we create a so-called UUID for your account in our system, which is stored in our system (“Registration Information”). In order to use the full functionality of the Services, you must also enable location sharing in your smartphone.

When you register in the app, we store your account data and the date and time of your registration on the servers of our service provider AWS Frankfurt, located in Frankfurt am Main, Germany.

3.4 Collection of location and movement data by the piggyback app (tracking)

The piggyback App allows users to collect data about their use of more or less CO2-saving means of transport for certain routes and to evaluate the carbon footprint of such activities. The personal data is used to validate the distances traveled in the corresponding mobility type and to calculate the bonus points (ReCoins) to be awarded.

The piggyback app uses, among other things, the GPS and positioning interfaces of the respective mobile devices or the navigation software used by the mobile devices to determine the current location of the users, to measure the distance traveled and, to verify the information provided by the users about the means of transport used, to compare it with maps and other publicly available data.

3.4.1 How are the distances traveled measured?

We use MotionTag technology to capture the journeys.

MotionTag uses machine learning from smartphone sensors to develop smart mobility solutions that measure mobility data in real time and distinguish between mobility types. This technology is also used, for example, in apps from transportation companies for smart ticketing. The collected data can be used by MotionTag, for example, to map anonymized and cumulated traffic metrics such as a modal split or a heat map of all routes traveled in a region. This allows transportation infrastructure projects to be better adapted and planned to the actual needs of travelers. Motion Tag is a German company based in Potsdam and hosts and processes the data in Germany according to the requirements of the GDPR.

3.4.2 How are mobility types differentiated?

The distances are measured by the smartphone. For this purpose, we have stored parameters that the smartphone queries after the distance has been measured. These include speed and acceleration values, which are used in particular to distinguish running and cycling from the use of motorized means of transport.

3.4.3 Data storage

The data is stored in the data center of our service provider, AWS Frankfurt in Frankfurt am Main, Germany.

The operator wants to ensure the user full control over his personal data. The User’s legal right to information, correction and deletion of data remains unaffected. The deletion of the User’s personal mobility data does not include the data aggregated and anonymized from this data, which is collected by the Operator in order to compile statistics on collective mobility data and CO2 savings of the users of this App. These anonymized and aggregated data are retained only as long as necessary for the purpose of the data processing, in this case displaying the aggregated company values and activities in the company statistics. (Art. 5 para. 1 lit. e) DSGVO).

3.5 Contacting via the contact form or our helpdesk

If you would like to contact us via the contact form on our website, we will process your first and last name, your email address, and the message text you send to us in accordance with Art. 6 (1) lit. b) DSGVO in order to process your request. There is no link to the data collected in the app. Your information may be stored in our customer relationship management system (“CRM system”) or comparable request organization.

We use the CRM system “Helpdesk”, of the provider Zendesk, Inc.- 1019 Market St, San Francisco, CA 94103, USA) based on our legitimate interests (efficient and fast processing of user requests). For this purpose, we have concluded a contract with Zendesk with so-called standard contractual clauses, in which Zendesk undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. All processors that previously operated under the now invalid Privacy Shields agreement have since added the relevant standard contractual clauses approved by the European Commission to the data processing terms and security provisions, which, according to the ruling, continue to be legally valid for the transfer of data outside the EU, Switzerland and the United Kingdom.

We delete the inquiries if they are no longer necessary. We review the necessity every two years; we store inquiries from customers who have a customer account permanently and refer to the information on the customer account for deletion. In the case of legal archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).

  1. Legal Basis

4.1 Cooperation with Processors and Third Parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, according to Art. 6 para. 1 lit. b DSGVO is necessary for the performance of the contract), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we commission third parties with the processing of data on the basis of a so-called “order processing agreement”, this is done on the basis of Art. 28 DSGVO.

4.2 Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this will only occur if it is done in order to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special requirements of Art. 44 et seq. DSGVO are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection that corresponds to the EU (e.g. for the USA by the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

All processors that previously operated under the now-invalid Privacy Shields agreement have since added the relevant European Commission-approved standard contractual clauses to their data processing terms and security provisions, which remain legally valid for transfers of data outside the EU, Switzerland and the United Kingdom, according to the ruling.

4.3 Cookies & Reach Measurement

Cookies are pieces of information that are transmitted from our web server or third-party web servers to users’ web browsers, where they are stored for later retrieval. Cookies may be small files or other types of information storage.

We use “session cookies”, which are only stored for the duration of the current visit to our online presence (e.g. to enable the storage of your login status and thus the use of our online offer at all). In a session cookie, a randomly generated unique identification number is stored, a so-called session ID. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and you log out or close the browser, for example.

Users are informed about the use of cookies in the context of pseudonymous reach measurement as part of this privacy policy.

If users do not want cookies to be stored on their computer, they are asked to disable the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

You can object to the use of cookies used for reach measurement and advertising purposes via the Network Advertising Initiative opt-out page (http://optout.networkadvertising.org/) and additionally the U.S. website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

4.4 Collection of access data and log files

We collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO, we collect data about each access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. to clarify acts of abuse or fraud) for a maximum of seven days and then deleted. Data whose further storage is required for evidentiary purposes is exempt from deletion until final clarification of the respective incident.

4.5 Online presences in social media

We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.

Unless otherwise stated in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send us messages.

4.6 Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC (“Google”), on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering within the meaning of Art. 6 (1) lit. f. DSGVO) Google Analytics, a web analytics service provided by Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the online offer or within our app by the users is usually transmitted to a Google server in the USA and stored there.

All processors that previously operated under the now-invalid Privacy Shields agreement have since added the relevant European Commission-approved standard contractual clauses to their data processing terms and security provisions, which remain legally valid for transfers of data outside the EU, Switzerland and the United Kingdom, according to the ruling.

Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with other services related to the use of this online offer and the Internet. In doing so, pseudonymous usage profiles of the users can be created from the processed data.

The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offer to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: (https://tools.google.com/dlpage/gaoptout?hl=de).

For more information about Google’s data use, settings and opt-out options, please visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google when you use our partners’ websites or apps”), https://policies.google.com/technologies/ads (“Data use for advertising purposes”), https://adssettings.google.com/authenticated (“Manage information Google uses to serve ads to you”).

4.7 Data permissions in the apps

4.7.1 Firebase Crashlytics / Firebase Crash Reporting

We use Firebase Crashlytics / Firebase Crash Reporting (hereinafter Google Firebase) to analyze user behavior and to report on the stability and improvement of the app. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Firebase Crashlytics / Firebase Crash Reporting is used for the stability and improvement of the app. It collects information about the device used and the usage of our app (e.g. the timestamp, when the app was started and when the crash occurred), which allows us to diagnose and solve problems. The data is stored anonymously.

The use of Firebase Crashlytics / Firebase Crash Reporting may require the forwarding of your personal data to the USA. Please refer to the provider’s privacy policy for the storage period of the data collected in this way.

Google Firebase Crashlytics / Firebase Crash Reporting is used to optimize this app and to improve our offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.

Weitere Informationen zu Google Firebase findest du unter:

https://firebase.google.com/

https://firebase.google.com/terms/crashlytics/

https://firebase.google.com/support/privacy/

4.7.2 Push Notifications

We ask for permission to send you push notifications when you first install (Android) or use (iOS) the app. We use Google’s Firebase Cloud Messaging (Android) and Apple Push Notifications (iOS) for push notifications. Firebase and Apple generate a calculated key, which is composed of the identifier of the app and your device identifier. This key is stored on our push platform with the settings you have selected in order to provide you with the content according to your wishes. The Firebase or Apple servers cannot draw any conclusions about the requests of users or determine any other data related to a person. Firebase and Apple serve exclusively as transmitters.

4.8 Integration of third-party services and content

Within our online offer, we use content or service offers of third-party providers on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party providers of this content are aware of the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus required for the display of this content. We strive to use only such content whose respective providers use the IP address only for the delivery of the content.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.

The following presentation provides an overview of third-party providers and their content, along with links to their privacy statements, which contain further information on the processing of data and, in part already mentioned here, opt-out options:

External fonts from Google, LLC., https://www.google.com/fonts (“Google Fonts”). The integration of Google Fonts is done by a server call at Google (usually in the USA). Privacy policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

Maps of the service “Google Maps” of the third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.

Videos from the “YouTube” platform of the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

4.9 Relevant legal bases

In accordance with Art. 13 DSGVO, we inform you about the legal basis of our data processing. If the legal basis is not mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 DSGVO, the legal basis for processing for the performance of our services and implementation of contractual measures and responding to requests is Art. 6(1)(b) DSGVO, the legal basis for processing for the performance of our legal obligations is Art. 6(1)(c) DSGVO, and the legal basis for processing for the protection of our legitimate interests is Art. 6(1)(f) DSGVO. In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO serves as the legal basis.

4.10 Revocation, changes, corrections and updatesrungen

As a user, you have the right to request information free of charge about the personal data that has been stored about you. In addition, you have the right to correct inaccurate data, blocking and deletion of your personal data, provided that this does not conflict with any legal obligation to retain data. You can find our contact details here (https://changers.com/imprint/).

4.11 Safety measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons; the measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access concerning them, input, disclosure, ensuring availability and their separation.

Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the deletion of data and the response to data compromise. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Article 25 of the GDPR).

The security measures include, in particular, the encrypted transmission of data between your browser and our servers, as well as between the mobile apps and our servers.

4.12 Data protection officer

The data protection officer of Blacksquared GmbH is:

RA Christoph Kluss

You can reach our company data protection officer by mail at:

Personal/Confidential

Blacksquared GmbH

Christoph Kluss

Bleibtreustraße 53

10623 Berlin, Germany

4.13 Changes and updates to the privacy policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the data protection declaration as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

This privacy policy was last updated on September 21, 2020.