Updated 5.4.2024

PayiQ takes data protection seriously. We follow the principles included in this data protection policy to protect your privacy. PayiQ is required to comply with the EU General Data Protection Regulation and the Act on the Protection of Privacy in Electronic Communications. PayiQ is committed to the protection of your personal data according to the requirements under this Regulation and the Act on the Protection of Privacy in Electronic Communications.

We always process your personal data in a reliable way. We are always open about how we process your personal data. We take all reasonable measures to protect your personal data from misuse and to keep it secure. We will inform you who you should contact, should you have questions about how your personal data is processed.

1. Basic information

The controller of the data file is iQ Payments Oy (hereinafter PayiQ).

Business ID: 2564925-2

Address: Linnankatu 13a A 18, 20100 Turku

Telephone: +358 10 419 2222 (PayiQ customer service)

The name of the data file is the PayiQ Customer Register.

Contact person for matters related to the processing of personal data: Riikka Pöyry, riikka.poyry@payiq.net

2. Purpose and legal basis of processing personal data

We collect data in order to provide, maintain, protect, develop and improve our service. If you contact us through the feedback channels, we will retain the contact in order to be able to solve any problems you may encounter.

The processing of personal data by PayiQ is based on one of the following legal bases under Article 6 of the EU General Data Protection Regulation (GDPR, 2016/679).

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR 6 art. 1.b).
  • The data subject has given consent to the processing of personal data (GDPR 6 art. 1.a).
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR 6 art. 1.f).

3. Content of the data file

Our application can be used in different ways, and depending on the way of use, we collect different information. By registering a user account, the customer gets access to all its features, but registration is not mandatory. Data types and the purposes for collecting them are listed below.

Necessary data:

  • Email address
    • Functions as the identifier of registered customer, needs to be verified during registration.
    • Used for sending receipts of purchases (optional).
    • Customer service communication.
  • User ID
    • Unique identifier that allows usage of application without registration.
    • Used to enable application functionality, account management, reporting and data analytics.
  • Device ID
    • Used for application functionality to ensure the application and user security through fraud prevention and compliance.
  • Purchase history
    • We are required by law to store transaction history for purchases, so this information is retained even if the user account is deleted.
  • Analytics, diagnostics, and crash logs
    • This data is anonymized and not stored in the customer information.
    • Used for development of the service.

Optional data:

Optional data is any data that we collect either as needed or to enable specific functionality in the application that is not part of the necessary core functionality (i.e., buying tickets). Optional means that the customer can either opt out of giving permission for us to access this data type in the application or can refuse to enter the information.

  • Location
    • Application uses precise or coarse location to enable security features for fraud prevention and compliance and some location-based services.
  • Phone number
    • Required for the purchase of specific tickets.
  • Address
    • Required for the purchase of specific tickets.
  • Name
    • Required for the purchase of specific tickets.
  • SSN
    • Required for the purchase of specific tickets.

4. External APIs and SDKs

PayiQ uses the below mentioned external APIs in the application.

Google

  • Google login
    • We use Google login as an alternative means for customers to register as users and login to our service.
    • Requested user data: email address. This is used as user ID for registration and login purposes.
  • Firebase messaging
    • We use Firebase messaging service to send the customer push notifications on both operating systems (Android and iOS).

Apple

  • Apple login
    • We use Apple login as an alternative means for customers to register as users and login to our service.
    • Requested user data: email address. This is used as user ID for registration and login purposes.

Optional:

Changers

  • GreenImpact feature
    • We use Changers CO2 fit platform and services to measure distances traveled according to the type of mobility and to calculate trips’ CO2 emission savings.
    • Requested user data: background location. Location information is used for recording trips.
    • Users can opt in or out of this feature and define location permission.

5. Regular sources of information

With the consent of the customer, the customer data contained in the data filing system is obtained from the customers themselves.

6. Personal data storage period

The data collected will be stored for as long as the user account created by the customer is valid or for as long as it is necessary due to the nature of the information and due to applicable law, such as the Accounting Act.

7. Regular data disclosure and recipient groups

When required, personal data contained in the data file will be disclosed to external persons or organizations as follows:

  • To payment service partners to deliver the service
  • The feedback received by PayiQ will be forwarded to the parties responsible for making corrections related to the feedback.
  • Within the limits allowed and obligated by the current legislation

8. Transfers of personal data outside the European Economic Area

No data is transferred outside the EEA.

9. Principles of register protection

The information security and confidentiality of personal data will be ensured by appropriate technical and administrative measures in accordance with good data processing practice. All data is encrypted in transit.

The database containing personal data is stored on a virtual server which can be accessed only by designated individuals whose duties require authorized access. The server is protected with an appropriate firewall and technical protection mechanisms. Access to the databases and systems is only possible by means of personal usernames and passwords which are assigned specially for this purpose. In addition, the database and system usage events are registered to the log data in the controller’s IT systems.

The controller’s employees and other individuals are committed to meeting the obligation of secrecy and to maintaining the confidentiality of the information received in connection with the processing of personal data.

10. Rights of the Data Subject

The data subject has the following rights, in accordance with the EU’s GDPR:

  • Right of access: Customer has the right to know what personal data about them is collected. Customer can view the majority of this information in the application settings and purchase history.
  • Right to erasure: Customer has the right to request the erasure of their personal data. Customers can delete their user account directly from the application or request deletion by contacting PayiQ. We are required by law to store transaction history for purchases, so this information is retained even if the user account is deleted.
  • Right to rectification: Customer has the right to request that any inaccurate and incorrect personal data is corrected without unnecessary delay.
  • Right to restriction of processing: Customer has the right to restrict the processing of their personal data if they contest the accuracy of the personal data.
  • Right to data portability: Customer has the right to receive personal data in a structured, generally used, and machine-readable form, and the right to transfer the data to another data controller, provided that the processing is based on consent and the processing is carried out automatically.
  • Right to file a complaint with a supervisory authority: Customer has right to file a complaint with the supervisory authority if they consider that the processing of personal data is in violation of the EU General Data Protection Regulation.