Principles of Data Protection

When using the term “personal data” or “personal information” in this Privacy Policy, we mean information (including opinions) that relates to you and from which you could be identified, either directly or in combination with other information which we may have in our possession.

To help you understand how we handle your personal information more clearly, below sets out the privacy principles which guide how we use your personal information. These principles provide that personal data should be:

• used lawfully, fairly and in a transparent way;
• collected for lawful reasons that have been clearly explained to you;
• relevant to the purposes you have been told about and limited only to those purposes;
• kept accurate and up to date;
• shared only as has been explained to you, when you ask us to or when legally required to;
• kept only as long as necessary for the purposes you have been told about; and
• kept securely and protected.

Our website may provide links to third party websites. Serco is not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties about how they may handle your personal information.

How Your Personal Data Is Collected

We may collect personal data about you when:

• the personal data is provided to us by you (e.g. when you contact us by email or telephone)
• the personal data is collected in the normal course of our relationship with you (e.g. when you hire a bicycle, when you register as a customer via our mobile application or website, when you make a payment online);
• the personal data has been made public by you (e.g. contacting us via a social media platform);
• the personal data is received by us from third parties (e.g. parents and guardians, law enforcement authorities);
• the personal data is received from trusted suppliers (e.g. payment processing supplier, IT providers);
• the personal data is collected via our IT systems (e.g. our website, mobile applications, internal email, cookies); and
• the personal data is created by us, such as records of your communications with Serco including complaints.

Personal Data Collected

We may collect and use the following personal information about you:

• Personal Details: title, full name, address, date of birth, sex or gender, business or home address, telephone numbers, email address, job role, signatures, social media handles;
• Financial Information: purchase transaction history, encrypted debit or card details;
• Internal Company Identifiers: discount, promotional and voucher codes, booking reference and reservation numbers, user name and password for your account;
• Rental Details: a record of your agreement to the Edinburgh Cycle Hire terms and conditions, dates of Edinburgh Cycle Hire hire, records of pick up, cycle journey route and drop off locations.
• Communications and marketing: responses to competitions, promotions and surveys, social media postings, general correspondence, call recordings, consents and preferences if you give permission to receive direct marketing.
• Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
• IT Details: information about the browser or device you used and the date and time you accessed our website or mobile application, your IP Address and cookie preferences.

If you do not provide certain personal information which we request, you may not be able to hire an Edinburgh Cycle Hire bicycle from us.

Special Category and Sensitive Data

We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data' or 'sensitive data' (for example, information relating to your ethnic origin, health or sexual orientation).

How And Why We Use Your Personal Information

Data protection and privacy laws requires companies to have a “legal basis” or “lawful ground” to collect and handle your personal information. We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. This may be because:

• we need to use your personal information to perform a contract or take steps to enter into a contract with you;
• we need to use your personal information for our or a third parties legitimate interest;
• we need to use your personal information to comply with a relevant legal or regulatory obligation that we have; or
• we have your consent to using your personal information for a particular activity.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described below. You can obtain information on our balancing tests by contacting us on the details below.

Below is a summary of what we may use (process) your personal information for and our reasons for doing so:

Children's data

Our services may be booked directly and used by individuals aged 16 years or over. We do not knowingly collect or solicit personal information from anyone under the age of 16 or knowingly allow such persons to provide us with their personal information without parent or guardian consent. If you are under 16, do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent's or guardian's permission.

In the event we learn that we have collected personal information from anyone under the age of 16, and do not have a parent or guardian's consent, we will delete that information as quickly as possible. If you have any concerns, please contact us at dataprotection@edinburghcyclehire.com or call us on 0131 278 3000.

In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Privacy Policy.

Cookies

Edinburgh Cycle Hire will use cookies on its website. Cookies store data in your browser when you visit a website. You can choose to turn off cookies, but we do not recommend it.

Edinburgh Cycle Hire will use cookies for the following items:

• Giving you the same language each time you visit the website, based on what you have selected.
• Making sure that you keep the link to Edinburghcyclehire.com saved when you move between different sites, which is especially important if you’re going to purchase a subscription or gift certificate.
• Making sure that we know who you are if you contact customer service several times. For this service we use Intercom.
• Logging how you move through the website so that we can – without identifying individuals – see through statistics how edinburghcyclehire.com is used, and how we can make improvements. This is logged using Google Analytics, which is the most common method for this.

Below are some the technical details of the cookies Edinburgh Cycle Hire store:

locale: remembering which language you have selected.

(cookies starting with) intercom: recognising you as the same user when you contact customer service via chat.

(cookies starting with) _ga: building anonymous statistics about how edinburghcyclehire.com is used.

Direct Marketing

We may use your personal information to send you updates (by email, telephone, post or text message) about our services including exclusive offers, promotions or products where you have consented for us to do so.

To protect privacy rights and to ensure you have control over how we manage marketing with you:

• at any time you can update or correct your personal profile, or change your preferences for the way in which you would like us to communicate with you, including how you receive details of latest offers or news updates from us;
• if you have an online account with us, the easiest way to make updates to your marketing preferences and/or change your personal details is to log onto your account.  You can also click the "unsubscribe" link that you find on any online newsletters you receive or contact our customer support team: support@edinburghcyclehire.com;

You can opt out of receiving marketing communications from us at anytime by:

• using the unsubscribe option included on all email marketing correspondence
• sending us an email to dataprotection@edinburghcyclehire.com. Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, membership number, email and telephone number to ensure your details are fully deleted from our direct marketing system. Please specify whether you would like us to stop all forms of marketing or just a particular type.
• Call us directly and speaking to a member of our team on 0131 278 3000

We will not sell your information, or share with other organisations without your prior permission for marketing purposes. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you, such as using location information you have provided (e.g. your post code) to personalise your marketing experience.

Call Recording

We may record your conversation with our team when you call us on 0131 278 3000, but you will be advised by recorded message at the start of your call that your call may be recorded.

We record calls based on our legitimate interests as set out in section 5, including:

• to establish the facts in the event of a complaint, claim or query from a caller; and
• to monitor and assess the quality of calls (including compliance with our customer service standards) and to providing training from time to time to those staff involved in the provision of our services;

Call recordings will be stored for up to 6 months from the date of their recording unless there is a relevant incident, complaint, investigation, legal proceedings or legal obligation which requires us to retain the recording for longer.  The recordings shall be stored securely, with access to the recordings restricted and monitored by management.

Sharing Your Personal Information With Others

• We will only disclose personal information to a third party in very limited circumstances, or where we are permitted to do so by law. The third parties we may share your personal data with include:
• other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
• third parties who help manage our business and deliver services (e.g. payment service providers, marketing agencies, debt collectors, IT support service providers, analysis experts, communication platform providers). These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us.
• third parties approved by you e.g. when you request your details to be transferred;
• our professional advisors (e.g. law firms, insurers, auditors); and
• Government, regulatory and law enforcement bodies where we are required in order:
  • to comply with our legal obligations;
  • to exercise our legal rights (e.g. pursue or defend a claim); and
  • for the prevention, detection and investigation of crime.

We may disclose your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is a change of operator.

Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.

Transferring Your Personal Information Globally

The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") (for example, the United States). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers.

We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. To achieve this, transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To this end, we will:

• in the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into by all relevant entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
• when transferring personal data to third parties outside the EEA:
  • put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or
  • ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission or the company is registered and compliant with a European Commission approved privacy shield scheme.
• carefully validate any requests for information from law enforcement or regulators before disclosing the information.

If you would like further information about the global handling of your personal information, please contact us at dataprotection@edinburghcyclehire.com

Security Of Your Personal Information

Serco takes precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction.  We protect personal data using a variety of security measures including:

• password access;
• data back-up;
• encryption;
• firewalls;
• destroying personal information if it is no longer needed for the purposes it was collected;
• placing confidentiality requirements on employees and service providers and providing training to ensure that your personal data in handled correctly; and
• secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

How Long Your Personal Information Will Be Kept

We will store your personal information for as long as is reasonably necessary for the purposes set out in this Privacy Policy. Where your personal information is no longer needed, we will ensure that it is disposed of in a secure manner. Below is the general criteria we use to determine how long we will keep your personal information, where upon we will either delete or anonymise the data:

• We will continue to keep your personal information while we are you are registered and have an account with us or we otherwise have an ongoing relationship with you (e.g. you have signed up to receive direct marketing, you have an ongoing complaint).
• We will retain your account personal information six (6) years from the date your account is confirmed as cancelled, (except for those details which may be retained as set out below)
• We will retain general correspondence and papers (including emails) received by us and our customer service team (excluding complaints and investigations) for six (6) years.
• Our register of complaints and investigations will be reviewed every ten (10) years.
• Images and messages provided by you on our social media feed with be kept until you ask for them to be deleted.
• Your IP address is kept in accordance with your cookie preferences.

If you have given Serco permission to send email marketing messages to you then we will retain your marketing preferences until you notify us that you no longer wish to receive such communications. We will review our marketing lists regularly and may contact to you to ask if you wish to still continue receiving marketing emails.

In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements. In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.

Your Legal Rights

You have legal rights in connection with personal information.Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information (commonly known as the "right to be forgotten"). Thisenables you to ask us to delete or remove personal information in limited circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which Serco is subject.

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims.

• Object to processing of your personal information by us or on our behalf which has our legitimate interests as its legal basis for that processing, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. You can object at any time to your personal information being processed for direct marketing (including profiling).
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person.

• Request the transfer of your personal information. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means.
• Obtain a copy, or reference to, the personal data safeguards used for transfers outside the European Union. We may redact data transfer agreements to protect commercial terms.
• Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 8 for details about withdrawing consent to direct marketing).

Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request.

We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

If you would like to exercise any of these rights, please submit your requests to

Data Protection Champion
Edinburgh Cycle Hire,
2nd Floor
Highland Rail House
Station Square
Inverness
IV1 1LE

Email: dataprotection@edinburghcyclehire.com

Telephone: 0131 278 3000

Subject to legal and other permissible considerations, we will make every effort to honour your request promptly to inform you if we require further information in order to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

Requests About Your Child’s Information

Children have the same rights over their own personal information as an adult. However, as young children may not understand these rights or are not capable of exercising these right, in some cases their parents may do so on their behalf.

Serco takes the protection of children’s personal information very seriously and needs to be very careful about disclosure. If we are in any doubt as to whether the parent or guardian is entitled to make a request on their child or ward’s behalf, then we may refuse to comply with their request.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy. If you have any questions about this Privacy Policy or how we handle your personal information, please address to:

Data Protection Officer
Serco Ltd
Enterprise House
18 Bartley Wood Business Park
Bartley Way
RG27 9XB

Alternatively, please email dpo@serco.com or call +44 (0)1256 745900.

Supervisory authority

We would be happy to address any concerns you have about your data privacy directly, and we encourage you to contact us in the first instance with your queries.  However, you have a right to lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk/make-a-complaint or telephone: 0303 123 1113) who will then investigate your complaint accordingly.

Changes To This Privacy Policy

This Privacy Policy was first published on 12/09/2018.

We may amend this Privacy Policy from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check this page for the latest version of this Privacy Policy. If we change this Privacy Policy, we will post the new policy on this website. On some occasions, we may also actively advise you of specific data handling activities or significant change to this Privacy Policy as required by applicable law.