Breeze Privacy Policy

Solent Transport Privacy Notice for MaaS App

Solent Transport represents a partnership between the councils of the Isle of Wight, Hampshire County, Portsmouth and Southampton. Solent Transport is delivering the mobility-as-a-service platform, Breeze app, built and delivered by Trafi Ltd.

This Privacy Notice tells you about how Solent Transport collects and uses personal information.

Hampshire County Council, Portsmouth City Council, Southampton City Council and Isle of Wight Council (the Partners) are joint data controllers for the data processed by Solent Transport.

This Privacy Notice should also be read in conjunction with the Partners’ privacy policies, which can be found via the links below:

Why do we collect and use your personal data?

Personal data is collected to enable you to access the transport services provided through the Breeze app.

When you access, connect to, download, create an account for, make purchases within or otherwise use the Breeze app, we will collect personal data about you.  The personal data we collect will depend on the circumstances and the services you are using or requesting.

In this notice

How we get your information

We get information about you from the following sources:

  • Directly from you, through information you provide via the Breeze App and through enquiries you make via the website
  • From cookies, which provide us with information about your visit to the website and use of the app.

What personal data we process and why

The information we process about you will fall within the following categories and is required to enable the transport services to be provided to you via the Breeze App:

  1. From use of the App

Your details

  • Full name
  • Date of birth
  • Address
  • Driving licence copy (back and front)
  • Facial photograph and video
  • Gender
  • Phone number
  • Email address
  • Password
  • User name
  • User ID
  • Language settings
  • Provider (Facebook, Google, Apple)
  • Company name and Invitation Code to connect to your company allowance, when applicable
  • Your budget and renew date as defined by your Company
  • Mobile number and ID Token to enable user authentication for security purposes
  • Version number and time of acceptance of applicable terms and conditions of use and privacy policy of Solent Transport and third parties

Payment

  • Credit card type
  • Credit card number
  • Card holder full name
  • Credit card validity date
  • Credit card verification number
  • User ID
  • Payment method ID

Technical

  • DeviceID, IP address and installation IDs
  • App language and version
  • Operating system and version
  • Device model and its properties
  • Type of network connection (e.g. WiFi, 3G, LTE, Bluetooth)
  • Network provider, network and device performance, browser type
  • Transferred data volume

Location

  • GPS signals, device sensors, Wi-Fi access points, and tower ids to estimate the precise location
  • start location
  • destination
  • start time
  • arrival time
  • journey time
  • connection times
  • type of transport
  • prices
  • user rating of connection information

User ID

  • T&C acceptance
  • Ticket booking ID
  • Ticket departure and zone
  • Ticket tariff, price and VAT
  • Ticket ID
  • Ticket class
  • Ticket barcode
  • Ticket validity
  • Ticket traveller name
  • Ticket discount and discount amount
  • Ticket type (one-way or return)
  • Ticket Invoice details

Time

  • Timestamp
  • CategoryAddedAt
  • CommentAddedAt
  • RatingAddedAt
  • Time
  • Request/Response.From.Coordinate
  • Now/Start.Timestamp

Trips

  • Ride info
  • User ID
  • User agents
  • IP addresses
  • Date and time of first use
  • Date and time of last use

Marketing Data

  • Destination URLs you access
  1. From enquiries made to Solent Transport or a Partner Local Authority

  • Name and contact details
  • Payment information
  • Trip details
  • Other information that may be required to resolve your enquiry
  1. From cookies

Cookies and similar technologies are small text files that are stored on web browsers or devices by web pages, apps, online media or companies.

  • Trafi Ltd use technologies for the purposes of exchanging information with service providers, authentication and remembering preferences and settings. Details of cookies used by Trafi Ltd can be found here

Lawful basis for processing your personal data

Depending on the service, we rely on the following lawful basis for processing your personal data under the UK GDPR:

  1. For delivering transport services via the Breeze App

Article 6(1)(a) – you have given us your consent to process:

  • Your details / Time and Trip data / Location data

Article 6(1)(a) and Article 9(2)(a) – you have given us your explicit consent to process:

  • Facial photograph and video

The processing is necessary to prevent illegal attempts to defraud the verification process to enable the technology to confirm you are a real person and not an imposter using a picture or other method to fraudulently obtain travel services without holding a valid driver’s licence.

Article 6(1)(b) Contract – the processing is necessary for the delivery of services under the Terms and Conditions of Use of the app, following data will be processed:

  • Your details / User ID data / Payment Data /Technical data / Location data/ Time and Trip data

Article 6(1)(c) Legal obligation – the processing is necessary to comply with the law, including not limited to security and the detection and prevention of fraud. The following data will be processed:

  • Your details / Payment Data
  1. For Research, Monitoring, and Analytical Purposes

Article 6(1)(f) Legitimate interests – the processing is necessary to enable you to access the app and to enable the delivery of a service in accordance with the app terms & conditions. It is also necessary to provide a functioning app and security as (e.g. adapting the app to the requirements of the user device). Information is also processed to allow the app to pursue the legitimate interest in optimising the app and ensuring the security of both the app and our IT systems. The following data will be processed:

  • Your details / User ID data / Payment Data /Technical data / Location data/ Time and Trip data
  1. For Targeted Marketing Purposes

Article 6(1)(a) – you have given us your consent.

We use Google Analytics and use server-to-server Google Measurement Protocol

We will share your personal data only where you have given us your consent.

We use Braze Inc, a third-party marketing provider for marketing purposes, to make you aware of improvements or changes to services (e.g. the introduction of a new service provider) and to provide messages about the promotions or additional services.

  1. Service Messaging and Promotions

Article 6(1)(b) Contract – service messaging is necessary for the delivery of services under the Breeze Terms and Conditions of Use.

Article 6(1)(f) Legitimate Interests – offering generic deals and promotions by sending generic marketing information to Breeze users via in app push notifications is necessary to make users of Breeze aware of improvements / changes to services (e.g. the introduction of a new service provider) and to improve user retention and use of the app. The processing is compliant with the Privacy and Electronic Communications Regulations, as the messages are untargeted

Article 6(1)(c) – legal obligation – to comply with our data protection obligations.

  1. For enquiries/Customer Services

Article 6(1)(b) Contract – the processing is necessary for the delivery of services under the Terms and Conditions of Use of the app.

Article 6(1)(c) – legal obligation – to comply with our data protection obligations

  1. For cookies

Article 6(1)(a) – you have given us your consent. For non-essential cookies you have control over whether these store your data when using the site.

Some cookies are necessary to enable core functionality, and these will be notified to you when you use the app.

How long we keep your personal data

We will not keep your personal data for longer than necessary. How long your personal data is retained for will depend on the lawful basis for which it was collected. Depending on that lawful basis we are not always able to comply with a ‘right to erasure’ request.

If you choose to delete your Breeze account, your account will be scheduled for deletion from the operational data base, which may take a few days.  Once the data has been deleted you will receive an email confirming the deletion.

Please note that we still may be required to process certain information about you after your account has been deleted, in order to comply with our legal or contractual obligations (see “Lawful basis for processing your personal data”). This could be for example where we are required to; investigate a complaint or establish, exercise or defend legal claims, such as in the pursuit of unpaid bills. We are also required to share information with the Police or other agencies for law enforcement purposes which includes traffic offences such as speeding tickets. However, any personal data needed for these purposes will be transferred to a secure archived backup system and will be held in accordance with our retention information detailed in this notice.

Information processed for research and monitoring purposes will be held for the duration of the research project.  At the end of the research project all data will be anonymised.

If you choose to participate in any surveys, you will be redirected to the Privacy Policy of the organisation undertaking the survey which will detail how they manage personal data and how long it will be held for.

Examples of the data which will be held in the archived backup system are detailed in the dropdown arrow below.

Examples of information held in archive system

  • User Information: e.g. User ID or Name
  • Common activity information for all activity types: e.g. Activity ID, Provider, Type, Status, Timestamp
  • User profile update activities: Changes that have occurred (name, birth date, email, gender, address)
  • Mobility Service Provider account creation activities:
  • User status activities: Was blocked or unblocked
  • Solvency check activities: Result of solvency check
  • Payment method activities
  • Document verification activities: e.g. type of document (passport, ID card or driver’s license)
  • Ticket purchase and activation activities: Purchase details (price, payment method used)
  • Trip activities (Sharing, Ride-Hailing, Rentals) and Trip information (start and end locations, trip duration, price and payment information
  • Errors that may have occurred Subscription activities (purchases, renewals and cancellations)
  • Fraudulent actions: Name, Email, Time, Date of birth, Identity Verification Provider session ID Fraud Status

Retention Information of data used to deliver transport services via the Breeze   App

Purpose / Record Type System/ Current Deletion Period Retention Period as Implemented by Trafi Trigger Disposal Method
Product Security and Management Firebase/3 years
Firebase Remote Config

Firebase Dynamic Links
Firebase Cloud Messaging
Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app. from the data collection Automatic
Product Operations – Backend (Customer account data, history data, T&C/Consent versions accepted, customer service queries) Backend:
AWS/3years
Backend data:
Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app
time starts at end of respective calendar year Automatic
Rail ticket sales data (including refunds) for at least 28 days plus the longest validity period for point to point rail tickets which is currently 3 months for some carnet products Backend:
AWS/3years
Backend data:
Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app
time starts at end of respective calendar year Automatic
Product Operations – Frontend (App event tracking – https://docs.aws.amazon.com/pinpoint/latest/developerguide/event-streams-data-app.html) Frontend:
AWS Pinpoint(automatic): Trafi loose front end events after 90 days
Frontend data (mParticle):
Frontend events will be deleted after 90 days from the data collection
from the data collection Automatic
AWS SNS and AWS Cognito AWS/3years Backend data:
Storage while customer account is active and it will be erased from the app after 3 years from the last time the user logged in in the app
time starts at end of respective calendar year Automatic
Data Availability and Logs DataDog/15d (Logs) 15 days from the data collection Automatic
MSPs Data Logs BQ/30days (Logs) 30 days from the data collection Automatic
Data Availability and Backups AWS/30days 30 days from the data collection Automatic
Calculate Statistics (raw data from all users)
Pseudonymised Analytics and Feedback (raw data from users that provided consent)
Google BigQuery/90days

90 days from the data collection Automatic
Customer Support Slack,Jira, Slack/At the end of the contract between client and trafi At the end of the contract between client and trafi At the end of the contract between client and trafi Manual
Identity verification Onfido data base Storage while customer identity and drivers licence is verified. Data is deleted on a rolling 7 day period and is permanently deleted 1 day later. from date of the verification check Automatic

 

Enquiries

Once an enquiry has been received by Solent Transport, it is forwarded to the relevant Partner to respond to and action. Customer Services are provided via Southampton City Council who is also the lead Partner for Information Governance.

The personal data will be held in line with the relevant Partner’s retention schedule, further details of which can be obtained from them directly.

Cookies

Details of cookies used by Trafi Ltd can be found here

Details of cookies used by Unicard can be found here

Details of cookies used by Braze can be found here

Details of cookies used by Onfido can be found here

Data Sharing

In order to respond to enquiries, it may be necessary for Solent Transport to share your personal data with the Partners.

To deliver the service requested by you through the app, it will be necessary for us to share your personal data with:

  • Trafi Ltd, the host provider of the app. The Privacy Policy of Trafi Ltd can be found here.
  • The Mobility Service Providers (transport operators) who provide the transport services purchased by you through the app and you should refer to the Privacy Policy of the individual Mobility Service Providers for further information.
  • Unicard who provide the Breeze customer services and operate the Breeze financial back-office functions.
  • Onfido Ltd provide an identity verification service. A facial photograph and/or video may be required to verify your identity and to confirm your eligibility to access certain services within Breeze (e.g. mobility services which can only be used with a valid driver’s license).

For the purposes of monitoring and evaluation, it may also be necessary to share your personal data and anonymised data with the Universities of Southampton and Portsmouth and the Department for Transport.

For the purposes of marketing, we use Google Analytics and use server-to-server Google Measurement Protocol. We use Braze Inc, a third-party marketing provider for marketing purposes, to make you aware of improvements or changes to services (e.g. the introduction of a new service provider) and to provide messages about the promotions or additional services. Your data can only be shared where you provide your consent within the app and this will permit the tracking of your activity across other companies’ apps and websites.

In some circumstances, we may be legally obliged to share information with other organisations or agencies in order comply with applicable laws and regulations, for example sharing information with the police for crime prevention purposes.

Do we use any data processors?

Data processors are third parties who provide certain parts of our services for us.

The Partners have contracts in place with them and they process data in accordance with this Privacy Notice and they cannot use the data for any other purpose.

  • Processors – Our current data processors for this service are listed below.
Data Processor Purpose Privacy Notice
Trafi Ltd Trafi Ltd is the developer and host provider of the app..

 

Trafi Privacy Notice
Unicard Customer Services and back office reconciliation functions Unicard Privacy Policy
Braze Inc a third party marketing provider Braze Inc Privacy Policy
Onfido Ltd A third party provider of digital identity verification Onfido Privacy Policy

 

Trafi use sub-processers who can be found here and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.

Unicard use sub-processors who can be viewed on the Unicard Privacy Policy and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.

Braze Inc use subcontractors who can be viewed on their Privacy Policy and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.

Onfido Ltd use subcontractors who can be viewed on their Onfido Privacy Policy and are bound by contractual obligations to ensure compliance with the Data Protection Act 2018 and GDPR obligations.

Your rights in relation to this processing

As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Information Commissioner’s Office as the relevant supervisory authority.

These rights include:

  • The right of access – You have the right to obtain confirmation that your data is being processed, as well as access your personal information.
  • The right to rectification – You have the right to have inaccurate personal data rectified, or completed if it is incomplete
  • The right to erasure – You have the right to have all your data erased, also known as the ‘right to be forgotten.
  • The right to restrict processing – You have the right to request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances
  • The right to object – You have the right to object to processing in some circumstances. The processing must stop unless there is legitimate grounds that override your rights, interests or freedoms, or the processing has been done in regards to a legal claim

To exercise any of these other rights, please contact Solent Transport

You will be able to amend information and rights of access in the App.  You can also delete your account data from the App at any time.