Privacy & cookie policy
Version No. 2
Valid from 01.07.2025
RIDANGO PRIVACY AND COOKIE POLICY
1. Introduction
1.1. Ridango AB (hereinafter: Ridango, contact details: https://www.ridango.com/contact)) offers the following options (hereinafter: the Service):
• buying and using public transport tickets or travel entitlement ;
• managing the funds in the Ühiskaart Account.
1.2. Ridango provides the Service on the basis of contracts concluded with public transport operators and/or local authorities (hereinafter: the Customer) and on their behalf and in their interests.
1.3. Ridango provides the Service on the basis of and on behalf of contracts with public transport operators and local authorities, each of which is the Controller of personal data.
1.4. According to this Privacy and Cookie Policy (hereinafter: the Privacy Policy), a public transport user is the user of the service (hereinafter: the Service User).
1.5. The websites and applications of Ridango use cookies to improve the user experience and the proper functioning of the Service. Service Users can manage or delete cookies in their browser, but if they do so, some features of the application may not work properly.
1.6. These terms and conditions describe which personal data Ridango collects and how it processes, on behalf of the Controller, the personal data that it receives in the course of providing the Service.
1.7. This Privacy Policy governs the processing of the Service User’s data, regardless of whether the Service User is a Ridango Service User or has otherwise consented to the processing of his or her data.
1.8. The privacy policy is general. Additional and/or more specific conditions may also be included in other documents. The Privacy Policy is an integral part of the Terms of the Ridango Services.
2. General provisions
2.1. The Service can be accessed through a website or mobile application (hereinafter: the Application). The Service can also be accessed at points of sale, from the driver of the public transport vehicle and through validators (i.e. the electronic device of the e-ticketing system located by the door of the public transport vehicle).
2.2. Tickets can be on paper, card, mobile phone, bank card or in QR or electronic format (hereinafter: the Tickets). The card can be a separately purchased travel card (e.g. Ühiskaart, TallinnCard) or a student or employee card (hereinafter: the Card) used as a travel card. The Tickets and Cards can be used as proof of entitlement to travel.
2.3. We use the Service User’s personal information in accordance with this Privacy Policy and within the framework of applicable legislation. We ensure the confidentiality of the Service User’s personal data and take the necessary measures to protect them from unauthorised and unlawful processing and disclosure.
2.4. The data of the Service User are processed on the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 96/95/46/EC (General Data Protection Regulation), often referred to by the acronym GDPR, and other relevant legislation.
2.5. Ridango may use (sub-)processors for data processing. In these cases, Ridango will take the necessary measures to ensure that (sub)-processors process the data in accordance with applicable law and implement adequate security measures.
2.6. The Privacy Policy is available on Ridango Applications. Ridango reserves the right to unilaterally change or amend the policy at any time without prior notice. All amendments and updates will enter into force and become binding on the Service User from the date they are published on the Applications or the data specified in the publication notice.
3. Personal data of Service User
3.1. We may collect the personal data of the Service User:
3.1.1. directly from the Service User;
3.1.2. during the use of the Service;
3.1.3. from external sources, such as public online sources, public and private registers or other third parties.
3.2. The categories of personal data that Ridango mainly collects and processes are:
3.2.1. main data: name, personal identification code, date of birth, identity document (e.g. copy of passport, ID card or residence permit);
3.2.2. contact details: address, telephone number, email address, bank account number, preferred language;
3.2.3. service usage data: e.g. Ticket or Card validation time, route, payment instrument data;
3.2.4. data from public registers: place of residence (municipality, town or city) from the Population Register, data from the Estonian Education Information System (including school level: upper secondary school, vocational school, university, etc.).
3.2.5. Data obtained and/or created in the course of complying with a legal obligation. For example, data obtained as a result of an investigation carried out by law enforcement authorities, public authorities or other public bodies.
3.3. We process the Service User’s personal data in order to:
3.3.1. maintain contact with the Service User, and provide and manage access to the Service. For example, to carry out transactions related to the Service User; to update data, to verify personal data through external sources and to perform operations at the Service User’s request;
3.3.2. verify the entitlement to travel, including to determine the validity of the Tickets or Cards, applicable discounts and resolve related validation disputes;
3.3.3. assess the quality of the Services to understand how useful the Service is and how to improve it;
3.3.4. prove transactions or other business communications relating to the Service (telephone calls, emails recorded by customer support) for the purpose of providing the Service or taking steps prior to providing the Service.
3.4. We process the Service User’s personal data on four legal grounds:
3.4.1. consent – processing of personal data only to the extent and for the purposes for which the Service User has specifically and explicitly given his or her consent;
3.4.2. performance of a contract – the processing of personal data is necessary to enable Ridango to perform a Service or sales contract entered into with a Service User or Customer or to carry out necessary operations prior to entering into contracts with a Service User for the sale of the Tickets and Cards. Such processing of personal data is mainly manifested in the achievement of certain results of the Ridango Services and products, which cannot be achieved by avoiding the processing of personal data;
3.4.3. legal obligation – data processing that Ridango is legally obliged to perform. If data processing is necessary to comply with a legal obligation, neither Ridango nor the Service User can decide on the processing of such personal data or to restrict data processing;
3.4.4. legitimate interest – use of personal data primarily to improve the Ridango Services and to promote customer relations and business. Above all, legitimate interest is the balance between the rights of the Service User and Ridango. Ridango also uses these data to generate the statistics necessary for making better business decisions and preparing marketing analyses.
4. Browsing statistics, logs and cookies
4.1. Ridango Applications use:
4.1.1. the Google Analytics web analytics service to process non-personalised data;
4.1.2. logs of queries made to the Application server;
4.1.3. cookies to track data traffic on the Application and how Users use the Application, including to collect the Service User’s IP address and browsing information.
4.2. The Services, logs and cookies referred to in Section 4.1. enable the Applications to:
4.2.1. remember the User’s information;
4.2.2. analyse the behaviour and preferences of the Users;
4.2.3. improve the User Experience and ensure the proper functioning and security of the applications;
4.2.4. investigate the technical performance of the applications in the event of potential security incidents.
4.3. The Service User may stop the collection of data by Google Analytics at any time according to these instructions: https://tools.google.com/dlpage/gaoptout/.
4.4. The Service User can manage cookies or delete them (depending on the browser, cookies already stored on the Service User’s computer will be deleted selectively or in bulk). Most browsers can be configured to prevent cookies from being stored on a computer. In such a case, the Service User will probably have to manually adjust certain preferences each time he or she visits the Application, and some Services and features may not work.
5. Disclosure of personal data of Service User
5.1. The personal data of the Service User may be disclosed to:
5.1.1. Ridango staff whose tasks include:
• contacting the Service User;
• analysing the Service User’s personal data;
• improving the Applications;
• other activities directly related to the Services;
5.1.2. Ridango Group companies for making the management and administrative decisions of the company.
5.1.3. Where required by law, Ridango discloses personal data to security and law enforcement authorities, including the police, prosecutors, etc., for purposes such as the detection, investigation and other activities required by law and in accordance with predetermined procedures.
5.1.4. Other third parties who have a legal basis for obtaining the information (such as legal, auditing and other specialised service providers) and for carrying out business operations (such as mergers and acquisitions and various business transactions).
6. Retention of personal data of Service User
6.1. Personal data are processed until the purpose of processing has been achieved, the consent given by the Service User has been withdrawn or the law no longer requires the retention of personal data. The personal data are then deleted or anonymised.
6.2. The personal data of the Service User are not processed for longer than necessary. The retention period may depend on the contracts entered into by the Service User, the legitimate interest of Ridango or applicable law (for example, limitation periods in accounting and legislation related to civil law).
6.3. Cookies are usually valid for a short period of time (a day, a week or a month), but in some cases they can be valid for up to a year. The term of cookies is set by the owner of the Application.
6.4. We will keep the personalised Ühiskaart validation information until a new validation or for a maximum of seven days from the validation. After a new validation or after seven days, the validation record related to the personalised Ühiskaart will be deleted and a non-personalised record will be created, which contains the details of the travel, but no link to the Service User and the Ühiskaart.
7. Rights of Service User
7.1. The Service User may exercise his or her rights set out below by writing to the Ridango Data Protection Officer at the address in order to:
7.1.1. obtain information on whether the Service User’s personal data are being processed and to gain access to his or her personal data in written or generally used electronic form;
7.1.2. where possible, transfer the data to another Service Provider. Ridango may charge a reasonable fee for allowing access to and transmitting such data;
7.1.3. request the correction of the personal data if they are insufficient, incomplete or inaccurate;
7.1.4. request the deletion of his or her personal data. By exercising this right, the Service User is aware that after the deletion of the personal data, the Service User will no longer be able to use several Services linked to the ID code that are provided by Ridango. If the Service User’s personal data are deleted at his or her request, Ridango will retain copies of only such information that is necessary to protect the legitimate interests of Ridango or third parties, to comply with applicable legislation, to resolve disputes or problems, or to enforce a contract with the Service User.
7.2. If necessary, object to the processing of his or her personal data, restrict it or withdraw his or her consent. By exercising this right, the Service User confirms that he or she is aware that after the deletion of the personal data, Ridango will no longer be able to provide the Services.
8. Complaints
8.1. In the event of a breach of the right to privacy, the Service User may lodge a complaint with the authorities of the EU Member State or of the place of permanent residence. The contact information of these authorities can be found at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
8.2. The Service User has the right to refer disputes to the consumer protection authority: in Estonia – Consumer Protection and Technical Regulatory Authority, Endla 10A, 10122 Tallinn, email: , https://www.ttja.ee/.
8.3. The Service User can also lodge a complaint through the European Online Dispute Resolution (ODR) platform (https://ec.europa.eu/consumers/odr/main/index.cfm?event=main.home.chooseLanguage).