General Data Protection Regulation (GDPR)

GDPR bike sharingDonkey and GDPR

At Donkey Republic we welcome and embrace this new legislation.

Keeping our users data safe has always been a core concern for us. We believe the GDPR has already forced the industry to review how they collect and process user data. This page describes what data Donkey Republic collects and what we use it for.

Here’s the short boil down:

  • You own the data we collect from you. You have the rights to have your data: Deleted, Rectified and Returned.
  • The personal data we collect concerns: Name, telephone number, email address, location, IP address. When we collect it and how we process it is described below. We limit the data we collect to a minimum and only collect data that has a specific purpose. The main purposes are:
    • Providing better customer support.
    • Improving our service in terms of our apps and in how our bikes are distributed and maintained.
  • Donkey Republic is hosted in the EU but also use third party data processors which are located both in EU and the US. An example of that is Zendesk which we use to provide customer support and therefore Zendesk processes: Email address and/or phone number as well as details provided by the rider such as their name or location. We have Data Processor Agreements (DPA) with all the external data processors we use. That ensures that the data processors also live up to GDPR regardless of where they run their business.
  • We collect your consent to process your data when you sign up.
  • We are obliged to notify you in case we have any breach of your data.

What the GDPR is

GDPR is a new comprehensive data protection law in the EU which replaces the many different national legislations currently in place. It strengthens the protection of personal data and gives EU residents a greater say in how, why, when and where their personal data is processed. It f.x. Introduces the right to be forgotten. Any organisation that works with data of EU residents has obligations to protect the data regardless where it is stored and whether the processor is a third party data processor.

We fully understand this, so we collect as little personal data as possible and safeguard it as well as we can.

More information on GDPR is available here: https://ec.europa.eu/info/law/law-topic/data-protection_en

Who the GDPR applies to

The GDPR applies to all organisations operating in the EU that process personal data or processing personal data from EU and Swiss residents.

What data the GDPR applies to

GDPR applies to all personal data. The concept of personal data covers everything that can be used to identify a person in a larger group. That includes name, address, email, ip address, cookies, location, unique identifiers, etc.

What personal data we collect and why

When you register

  • We collect email addresses for the account system. Every account is unique due to the uniqueness of the email address, which is used to identify you as a user, log you in and enable you to rent bikes using our system.
  • We collect names so that we know what to call you when we interact.
  • We collect phone numbers to contact you if needed. We use the country code of your phone number to estimate your country of residence.
  • We collect IP addresses and location information in order to detect the misuse of the system, combat abuse and for logging purposes.
  • We do not collect your payment information as this is sent directly to our payment provider in encrypted form. Donkey Republic is a PCI compliant service

When you make a rental and during your rental in the app:

  • We collect the location and timestamp of some actions you took using the Donkey Republic App. They include some page views in the app, some actions in the app, bicycle locks and bicycle unlocks during your rentals, errors among others. We aggregate the information at various cities and periods, analyse the resulting data to drive our strategic and operations decisions such as where to place hubs or how many mechanics to employ to take care of the bicycles. We also use the data to optimise our apps.
  • Location data is only collected when the user’s phone has location services turned on. Turning off location services will automatically opt-out of the collection of location data. Unlocking and Locking the bike requires location services to be on for Android users as this is a requirement from the Android operating system. Ending rental also requires location services to be on so that we know where you dropped the bike.
  • Government bodies also ask for part of this aggregated, anonymous data to make sure that Donkey Republic abides by local rules and regulations and to help them with their city/regulatory planning. Donkey Republic only shares data with partners and governmental bodies which is adequately aggregated to be anonymous.
  • We never sell or profit directly from any of your personal data.

When you’re on www.donkey.bike

  • We use Google Analytics to track user behaviour on www.donkey.bike. This helps us understand how our website visitors get to www.donkey.bike, and what webpages are most relevant for them. Google Analytics sets web browser cookies to identify users returning to the website, optimise performance, and to provide information about our Google AdWords campaigns you have interacted with.
  • We use Amplitude to track specific user behaviours on the website for example clicking a button to download the Donkey Republic app. We have a data processing agreement with Amplitude which obliges its data processing practise to follow GDPR.
  • We set web browser cookies on www.donkey.bike to improve the user experience on the website. This includes:
    • Identification of the visitor by a translation plugin to remember what language you prefer to view the website in.
    • Serving assets e.g. images from a server cache to make the website load faster.
    • Identification of the visitor by a security plugin to prevent attacks on the web.

You can delete any cookies set on your web browser by www.donkey.bike in your browser settings.

  • We collect user information sent through contact forms on www.donkey.bike. This information is stored on the website for 90 days and then deleted. However the information is forwarded securely to internal email addresses and customer support systems.

Where your personal data is stored

We store all user data in data centers in EU countries. Additionally we use data processors which may be hosted outside of EU mainly in the US. We have data processing agreements with all data processors that we use which oblige the data processors to follow GDPR. Most of these providers have additionally chosen to be certified in the EU-US Privacy Shield which is an agreement between EU and US that describes data protection rules required to store data in the US.

You have the right to:

  • Access your data. You can contact us here and ask for a copy of your personal data.
  • Update your data. You can contact us here and ask us to update your personal data such as phone number, name and email address.
  • Delete your data (“The right to be forgotten”). You can achieve that by contacting us here. We do not keep your personal information after your account is deleted. We will also ensure that your personal data is removed from third party services. Removal of data will be done as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.

3rd parties with whom personal information may be shared

 

Party namePersonal data disclosedPurposeComplianceEU-US Privacy ShieldDPA
HerokuName, Email, Phone number, User location, IP addressHeroku hosts our backend service and the databases where we collect dataLinkYesYes
ZendeskEmail, phone number.

Support or Rider may disclose Full name, one or more locations of the rider; last 4 digits of payment card

Customer SupportLinkYesYes
StripeName, Email, Payment card, IP Address and user location (only in case of dispute)Process paymentsLinkYesYes
SegmentName, Email, Phone number, User location, IP address, User id, web browsing dataCollect and forward dataLinkYesYes
PeriscopeDataName, Email, Phone number, User location, IP addressStore and analyze data.LinkYesYes
AmplitudeName, Email, Phone number, User location, IP address, User id, rental data, usage data, web browsing dataStore and analyze dataLinkYesYes
FacebookNo personal data shared.

We share conversion events with Facebook Ads.

Marketing activitiesLinkYesNo
Google AnalyticsNo personal data shared.

We share conversion events and website traffic with Google Analytics

Marketing activities

Link 1

Link 2

YesYes
TimberName, Email, Phone number, Location, IP AddressServer logging used for performance and security monitoringLinkPendingPending
Mailchimp 

Name, email, phone number.

Rental data – first and most recent rental pickup location and date

User data – member status, app language, user id

 

Marketing and SupportLinkYesYes
NexmoPhone numberPhone number verification,Rider communicationLinkNoYes

Social Media

We kindly ask you not to share any personal information when contacting us on social media platforms like Facebook, Instagram and Twitter.

Internal Policies

Donkey Republic has internal policies in place that prohibits employees from sharing and personal user data in internal communication tool.

Agreements with third parties on data processing

We limit the data we share with the above third parties to the absolute minimum to ensure smooth running of the Donkey platform. We have Data processor agreements in place where necessary, limiting the third party use of data.

Changes to this policy

We reserve the right to make changes to this policy at any time by giving notice on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at the top. If you object to any of the changes to this policy, you must cease using this service and can request removal of the personal data.

Get in touch with us

If you have any concern about your personal data, please contact us.

Last updated 24-05-2018