- INTRODUCTION
- WHAT KIND OF INFORMATION DO WE COLLECT?
- WHAT IS THE PURPOSE OF DATA COLLECTION?
- HOW LONG DO WE STORE YOUR DATA?
- WITH WHOM DO WE SHARE YOUR DATA?
- WHERE IS YOUR PERSONAL DATA PROCESSED?
- HOW WE SECURE THE DATA
- CHILDREN’S PERSONAL DATA
- WHO IS RESPONSIBLE FOR DATA PROCESSING?
- WHAT WE WILL DO IF THERE IS AN UPDATE TO THIS POLICY
- DATA RETENTION SCHEDULE FOR OUR APPLICATION USERS
- YOUR RIGHTS
- SUBPROCESSORS
Privacy
This document describes how we collect and use the data concerning the use of our services. We keep it simple and easy to understand, as our company has been built on openness and our services on trust. Here you will also find our contact information in case you would need any further assistance. If you are a Rydoo user, or just browsing our website, this policy will be applicable to you.
Introduction
At Rydoo, we understand the needs of privacy and safety. We consider our user’s trust as one of our most valuable assets. Therefore, we want to ensure your data is safe with us.
Rydoo N.V. and Rydoo Sp.Zo.o and their local subsidiaries provide business process outsourcing services in the areas of travel and expense management using modern technology solutions.
Our expense management services allow the client to capture, track and store his business expenditure receipts, as well as to generate and submit for approval the expense reports derived from those receipts, which are uploaded via either web, e-mail and/or mobile applications.
This policy applies to all the platforms you can use to get access to our services and all the data we collect using those platforms.
This policy may change when the applicable legislation changes or if we decide to extend our services. Please visit this page regularly to be kept up to date.
If you do not agree with this Privacy Policy, we kindly advise you to not use or stop using our services.
What kind of information do we collect?
Information provided by you or your employer
Depending on the services you or your employer have selected, we collect some specific information about you:
- For our expense management services we need your identification data (name, professional email, and information about those expenses that may help your employer reimburse them – which may include bank account number, the scanned receipt, credit card statements, etc.).
- We collect data on behalf of your employer (acting as the data processor), but we also collect data in our name, to improve our services, protect our networks from attacks or intrusions, think of new features which may be useful for you, etc. (In such cases, we are acting as the data controller).
If you can book accommodation, flight or rail tickets using Rydoo, the supplier (the transportation or accommodation provider) will need to know certain things about you to process your booking and deliver its services, like your first name, last name, ID document number, contact details, other travelers’ data; sometimes your date of birth.
The use of our services does not require users to fill in or upload sensitive personal data. To avoid unnecessary exposure, we ask you to make sure that sensitive personal data are not filled in or uploaded to your account (intentionally or accidentally) in any form as photos, notes or other if it is not necessary. Required personal data are normally limited to name, email address and information about the corresponding expenses or trips being managed by Rydoo. However, the Client (your employer) may require additional data.
If you can book accommodation, flight or rail tickets using Rydoo, the supplier (the transportation or accommodation provider) will need to know certain things about you to process your booking and deliver its services, like your first name, last name, ID document number, contact details, other travelers’ data; sometimes your date of birth.
The use of our services does not require users to fill in or upload sensitive personal data. To avoid unnecessary exposure, we ask you to make sure that sensitive personal data are not filled in or uploaded to your account (intentionally or accidentally) in any form as photos, notes or other if it is not necessary. Required personal data are normally limited to name, email address and information about the corresponding expenses or trips being managed by Rydoo. However, the Client (your employer) may require additional data.
Information we collect automatically when you use our services
When you use our services, we also collect certain information automatically like your IP address, browser type and version or mobile device data and local settings, e.g. language; activity on our website, including the pages you visited and searches you made.
Information from other sources
If you use a third-party payment provider, if you link your profile with social media or instant messaging profile or if you use our platform via third party integrated software, we can collect information from those sources.
All our accommodation and transport services providers may also share with us information about you and your trip.
Refer a friend
In case we would enable a refer-a-friend functionality, you must always seek your friend’s consent to our use of your friend’s name and e-mail address to contact them about our services. By providing us with your friend’s name and email address, you warrant that your friend consents to such contact.
What is the purpose of data collection?
Summary: We need to see if you (or your company/employer) would be interested into getting our products (legal basis: Legitimate Interest). (We only process some of this data if you agree to it beforehand – Legal basis: Consent).
In addition, we process some data on behalf of your employer so we can provide you with our services and your employer can fulfill its obligations. (Legal Basis: The performance of a contract).
We also need our users and travelers’ data to provide our services to them: searching for hotels and rates available, booking rooms or tickets, managing expenses, creating and transmitting expense reports or any other service we provide and to improve our services for our clients. (Legal Basis: the performance of a contract / Legitimate Interest)
We also use your contact information to inform you about any changes to trip itineraries, any actions waiting for you in the system or any new features and services available. (Legal Basis: the performance of a contract)
How long do we store your data?
Summary: Personal data is gathered for a specific purpose and stored also for a specific purpose. The overall rule we apply is that we will delete all the data within 6 months after the end of the year when the data is no longer needed for any purpose. You can find out more about the specific categories in the Data retention section.
Please be aware that there are various purposes for which we gather and later process your personal data. We take into consideration all those purposes and have defined a data retention period for each category of the personal data (you can see more information here in this table)
We have a deadline of 6 months after the end of the year of termination of the purpose, because even though we regularly archive the data that is not needed anymore from our system, this deleted data may stay in the system or the infrastructure logs and backups. These logs and backups are deleted within a period of 6 months.
Where is your personal data processed?
We mainly process your personal data within the European Economic Area (EEA). Being the data processor, Rydoo relies on a limited number of sub-processors to perform well-defined elements of its services. Some of these sub-processors may be located outside of the EEA. They have been selected carefully and all have adequate privacy guarantees in place. To read more about these please see our Subprocessors section.
How we secure the Data
Summary: We use appropriate technical and operational measures (e.g. data encryption, security audits, hashing, etc.) to secure information collected by Rydoo. We are ISO 27001 certified, you can read more about it here.
When providing our services, we only engage subcontractors, parent or subsidiary companies which adhere to equivalent rules on the protection of personal data in line with EU regulations. You can read more information about it here.
Children’s personal data
Rydoo services are meant to be used only by adult users (over 18 years old). Underage persons’ data collected by an employer will be collected only with parents / legal guardians’ permission (as it is the employer’s responsibility to obtain).
Who is responsible for data processing?
- Rydoo Sp.zo.o., al. Jerozolimskie 180, 02-486 Warsaw, Poland
- Rydoo NV, Hendrik Consciencestraat, 40/42 2800 Mechelen, Belgium
Data Protection Officer
For Rydoo Expense, we have appointed Diana Jiménez Aguirre as Data Protection Officer.
in case of any request related to data privacy, you might reach our DPO by e-mail: privacy@rydoo.com.
For Rydoo Travel: We have appointed Karolina Salska as Data Protection Officer.
in case of any request related to data privacy in our Travel Solution, you might reach our DPO by e-mail: travel.privacy@rydoo.com.
What we will do if there is an update to this policy
From time to time, we may change our privacy practices. We will notify you of any changes to this Policy as required by law. We will also post an updated copy on our website. It will have a different date and version number from the one set out below. Please check our site periodically for updates.
Significant changes will be communicated to your company admin or through an email.
Data retention schedule for our application users
Data Category | Explanation | Retention period |
Identification data | ||
PII | Name, login, title, email address, IDs assigned by the controller. | Account deactivation + 10 years |
Contact data | Address (work and home), other addresses, telephone number (work and home). | Data deleted, account deactivated or requested to stop processing/delete data |
Identification information assigned by government institutions | ID card number, passport number, drivers license number, license plate number, etc. | Data deleted, account deactivated or requested to stop processing/delete data |
Electronic identification data | IP addresses, cookies, connection moments, etc. | Account deactivation + 10 years |
Electronic localization data | Cell tower data, GPS data, etc. | Account deactivation or consent withdrawn |
Special financial data | ||
Financial transactions | Amounts paid and payable by the data subject, awarded credit lines, sureties, payment method, payment overview, deposits and other guarantees. | Moment of transaction related invoice payment recognized + 10 years |
Personal characteristics | ||
Personal details | Age, sex, date of birth, place of birth, nationality. | Data deleted, account deactivated or requested to stop processing/delete data |
Habits | ||
Travel details | Information regarding business travel habits and preferences | Data deleted, account deactivated or requested to stop processing/delete data |
Leisure pursuits and interests | ||
Leisure activities and interests | Hobbies, sports, other interests. | Data deleted, account deactivated or requested to stop processing/delete data |
Memberships | ||
Memberships (other than professional, political, or in trade unions) – only if required to manage business travel or expenses | Memberships in loyalty programs, organizations, clubs, partnerships, unions, groups, etc. – if used for business travel management or expense management. | Account deactivation + 10 years |
Consumption habits | ||
Travel data | Details regarding the goods and services provided to the data subject. | Moment of transaction related invoice payment recognized + 10 years |
Business expense data | Details regarding the goods and services reported as expenses by the data subject. | Contract end |
Application usage | Details regarding usage of the application by the data subject. | Account deactivation |
Requests, complaints, incidents or accidents | Information regarding a request, accident, incident, or complaint in which the data subject is involved, the nature of the request, damage, involved persons, witnesses. | Closing the case + 10 years |
Profession and employment | ||
Current employment | Employer, title and role description, seniority, work location, specialization or company type, work modes and conditions. | Account deactivation + 10 years |
Photographs recordings | ||
Images | Camera recording, photographic recording, digital photos or scans of receipts uploaded, etc. | Data deleted, Contract end, Request to delete data / stop processing |
Sound recordings | ||
Sound recordings | Phone recordings regarding requests or issues, etc. | Closing the case + 10 years |
Electronic activity logs | ||
Application and infrastructure logs | Logs of user actions and technical requests registered | Account deactivation |
Users login logs | Recorded user login attempts | Account deactivation + 10 years |
Your rights
Summary: You have a right to review the information we collect about you. It is available in your profile (so you can rectify it if needed) and you can always ask for access, deletion, ask us to rectify it by emailing us or using this form.
You can always contact us if you believe that we are no longer entitled to use your personal data, or if you have any other questions about how your personal information is used. Please email or write to us using the contact details below. We will handle your request in accordance with all applicable EU & national data protection laws.
Contact: privacy@rydoo.com
Right of access
You can request access to your Personal data. You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed.
You can request any available information as to the source of the Personal data, and you may also request a copy of your Personal data being processed by us.
Right to be forgotten
Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:
- the data is no longer necessary;
- you choose to withdraw your consent;
- you object to the processing of your Personal data by automated means using technical specifications;
- your Personal data has been unlawfully processed;
- there is a legal obligation to erase your Personal data;
- erasure is required to ensure compliance with applicable laws.
Right to restriction of processing
You may request that processing of your Personal data be restricted in the cases where:
- you contest the accuracy of the Personal data;
- we no longer need the Personal data, for the purposes of the processing;
- you have objected to processing for legitimate reasons.
Right to data portability
You can request, where applicable, the portability of your Personal data that you have provided to us, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another Controller without hindrance from us where:
- the processing of your Personal data is based on consent or on a contract; and
- the processing is carried out by automated means.
You can also request that your Personal data be transmitted to a third party of your choice (where technically feasible).
Right to object to processing for the purposes of direct marketing
You may object (i.e. exercise your right to “opt-out”) to the processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time.
Right not to be subject to automated decisions
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect upon you or significantly affects you.
Right to lodge a complaint to the competent Supervisory Authority
If you have a privacy-related complaint against us, you should complete and submit the Complaint/Data Subjects’ Request Form or make your complaint by email or by letter in accordance with our Global Complaints/Requests Handling Policy. If you are dissatisfied with our response, you may then seek further recourse by contacting the relevant local Supervisory Authority.
Subprocessors
Rydoo’s Subprocessors
Rydoo uses carefully selected subprocessors (including third parties, as listed below), subcontractors and content delivery networks to assist it in providing the Rydoo Services as described in our Terms and Conditions.
What is a Subprocessor?
A subprocessor is a third party data processor engaged by Rydoo, including Rydoo’s sister companies, who has or potentially will have access to or process Client’s Data (which may contain Personal Data). In the following sections we will explain which subprocessors we use and what types of activities they perform. We also mention some of our sub-contractors who in principle do not get access to Personal Data but rarely and incidentally might do so. As a precaution, we have taken the necessary measures and safeguards to make sure that everyone’s personal data is properly taken care of such as signing Data Processing Agreements and EU Standard Contractual Clauses with them.
How do we choose a Subprocessor?
We have a careful selection process where we take into consideration the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or otherwise process Personal Data. We will not select any subprocessor that cannot guarantee to provide the very same level of Data Protection as Rydoo.
Contractual Safeguards
All of our sub-processors need to comply with equivalent obligations as those required from Rydoo (as a Data Processor) as set forth in Rydoo’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
- Only collect, process and use the types of personal data relating to the categories of data subjects for the purposes of providing the Rydoo Services under the Contract and for the specific purposes required in each case.
- In connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy, confidentiality and security, to the extent applicable, as established in Data Protection Laws.
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data.
- Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Rydoo is contractually committed to adhere to) and provide evidence of compliance with this obligation.
- Promptly inform Rydoo about any actual or potential security breach.
- Cooperate with Rydoo in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
What will happen if we engage a new SubProcessor:
Our Clients will be notified of any changes on this page. If the Client has a reasonable objection to any new or replacement Subprocessor, it shall notify Rydoo of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith.
If Rydoo is reasonably able to provide the Rydoo Services to the Client in accordance with the Main Agreement without using the sub-processor and decides in its discretion to do so, then the Client will have no further rights under this provision in respect of the proposed use of the sub-processor. If Rydoo requires use of the Subprocessor in its discretion, it shall seek to satisfy the Client as to the suitability of the Subprocessor or the documentation and protections in place between Rydoo and the Subprocessor in a period not exceeding ninety (90) days from the Cient’s notification of objections.
If the Client does not provide a timely objection to any new or replacement Subprocessor in accordance with this procedure, the Client will be deemed to have consented to the sub-processor and waived its right to object. Rydoo may use a new or replacement Subprocessor whilst the objection procedure in this section is in process.
Termination rights, as applicable and agreed, are set forth exclusively the Contract.
The following is an up-to-date list (as of the date of this policy) of the names and locations of Rydoo’s Subprocessors, subcontractors and content delivery networks:
SUB-PROCESSOR | ADDRESS | TYPE OF ASSISTANCE | COUNTRY OF PROCESSING | CONTRACTUAL SAFEGUARD (for data transfers) |
Microsoft Corporation (Azure SQL databases – EU) |
One Microsoft Place South County industrial Park, Dublin 18, D18 P521 Dublin, Ireland |
App data storage within the EU (ISO 27001 & ISO 9001). Automatic reading and translation of receipts. | Ireland, The Netherlands, France and Sweden | N/A – Data Processed in the EU. EU model clauses for onward transfers. |
Sendinblue SA | Rue d’amsterdam 55, 75008, Paris, France | E-mailing platform used for sending out reminders to approvers/controllers | France | N/A – Data Processed in the EU |
Romsan IT Services PVT Ltd | 143/1 Shri Ram Nivas Parvati Gaon, Pune-411009 Maharashtra, India |
Controlling services
Controlling checks of bank statements |
India | EU Model Clauses. |
Veryfi Inc. (USA) | 28 E 3rd Ave, Suite 201, San Mateo, 94401, California, USA | Automatic reading of scanned receipts | Ireland | N/A – Data processed in the EU. EU model clauses for onward transfers. |
Zendesk Inc. | 1019 Market Street, San Francisco, CA 94103, United States | Customer Support | Ireland, Germany | EU Model Clauses (where applicable) |
Planhat A/B | Planhat AB, c/o WeWork, Regeringsgatan 29111 53 Stockholm, Sweden | Customer Relationship Management Onboarding (only for new clients) | EEA/EU | N/A – Data Processed in the EU |
Chameleon Intelligent Tech Inc. | VeraSafe Ireland Ltd. Unit 3D North Point House North Point Business Park New Mallow Road Cork T23AT2P Ireland (EU Representative) | In-app messaging and customer tours | Ireland | N/A – Data Processed in the EU. EU model clauses for onward transfers. |
Rydoo T&E Unipessoal Lda | Rua Febo Moniz 27, 1150-152 Lisboa, Portugal | Customer support | Portugal | N/A – Data Processed in the EU |
Rydoo Spend Management SAS | 25 Rue du 4 Septembre, 75002 Paris, France | Customer support | France | N/A – Data Processed in the EU |
Rydoo Brasil Software E Serviços De Gestão De Despesas Ltda | Av. Brigadeiro Faria Lima, 1811, conj. 918, 9º andar, CEP: 01452-001, Jardim Paulistano, São Paulo, SP., Brasil | Customer support | Brazil | EU model clauses |
Rydoo Inc. | 222 Broadway 19th Floor, NYC, NY 10038, United States | Customer support | USA | EU model clauses |