PRIVACY POLICY

This Privacy Policy explains what personal and technical data may be processed when using the CityCard mobile application, the citycard.net website and related e-ticket services.

1. Status of parties and contact for confidentiality issues
Within the framework of the operation of the automated system of accounting for fares in public transport, the owner of the ASOOP (Automated System of Fare Accounting) data and the party that determines the main goals and procedure for using such data in the electronic ticket system is the Executive Committee of the Zhytomyr City Council as the Customer of the corresponding system.

“CITY CARD SYSTEM-ZHYTOMYR” LLC, EDRPOU code 44972636, ensures the functioning of the CityCard service as an operator of electronic systems, a technical administrator/developer of a mobile application/site and a performer of the relevant contractual functions. “CITY CARD SYSTEM-ZHYTOMYR” LLC is not an independent owner of ASOOP data and does not independently determine the purposes of processing personal data of users in the electronic ticket system.

To avoid ambiguity, the term “Operator” in this Policy is used in the meaning of the operator of electronic systems, and not as a designation of a body or person that independently determines the purpose and procedure of personal data processing.

Contact for requests on issues of confidentiality and operation of the components of the automated system of accounting for fare payment (mobile application, website): info@citycard.net. Requests that belong to the competence of the data owner can be transferred or directed to the Executive Committee of the Zhytomyr City Council.

2. What data can be processed
The mobile application/site processes only the data that is necessary for the operation of the electronic ticket, balance replenishment, user service, service security and compliance with legal requirements.

Depending on the functions used by the person, the following categories of data can be processed:

  • account and identification data: name, surname, phone number, email address, user ID, authorization data;
  • transport card and electronic ticket data: card number or ID, QR code/electronic ticket, balance, card status, ticket type, data on replenishment and use of the service;
  • transaction and payment data: payment amount, date and time of the operation, payment status, payment ID, payment token or technical operation number;
  • technical data of the device and application: device model, operating system version, application version, IP address, device language, session identifiers, technical logs, error data;
  • support request data: request text, contact details, files or screenshots added by the user, communication history;
  • notification data: device push token, notification settings, status of service or security notifications;
  • geolocation data, if such a feature is used: current or approximate location of the device after the user has granted permission.

The application/site must not store the full bank card number, CVV/CVC code or other full payment details if the payment is made through a payment provider. In this case, only technical payment identifiers, payment tokens or transaction statuses necessary to confirm the payment are processed.

If individual functions of the application/site use the camera, NFC, geolocation, push notifications or other device permissions, such permissions are used only for the declared function and after the user has granted the appropriate permission, if such permission is required by the operating system.

3. Purpose of data processing

Personal and technical data may be processed for the following purposes:

  • registration, authorization and maintenance of the user account;
  • replenishment of the electronic ticket balance;
  • display of the balance and history of electronic ticket operations;
  • confirmation of payments, accounting of transactions in the prescribed cases;
  • provision of technical and user support;
  • sending service, technical and security messages;
  • ensuring information security, detection of errors, technical failures or signs of fraud;
  • generation of reporting and analytical data for the functioning of the electronic ticket system within the powers of the Customer;
  • compliance with the requirements of the law, requests from competent authorities and protection of the rights of users, the Executive Committee of the Zhytomyr City Council and LLC “CITY CARD SYSTEM-ZHYTOMYR”.

“CITY CARD SYSTEM-ZHYTOMYR” LLC processes data within the framework of technical support for the operation of the CityCard service and does not use users’ personal data for independent purposes incompatible with the functioning of the electronic ticket system.

4. Legal grounds for processing
The processing of personal data is carried out in accordance with the Law of Ukraine “On Personal Data Protection”, decisions of local governments on the implementation of an electronic ticket, agreements on the functioning of the ASOOP and other applicable legislative acts.

Depending on the specific situation, the legal grounds for processing are:

  • the user’s consent to the processing of personal data or granting permission for a separate function of the device;
  • the need to provide the user with electronic ticket services and related services;
  • performance of tasks and functions in the field of organizing fare payment in public transport;
  • compliance with legal requirements, in particular regarding payments, accounting, consideration of appeals and interaction with authorities;
  • legitimate interest in ensuring security, stability of the application/site, preventing fraud and protecting the rights of users and parties to the electronic ticket system.

5. Transfer of data to third parties
Personal data is not sold to third parties. Data may be transferred or made available only to the extent necessary for the operation of the service, the implementation of legislation or decisions of the data controller.

In particular, data may be available to the following categories of recipients:

  • the Executive Committee of the Zhytomyr City Council and its authorized persons – within the framework of the functioning of the ASOOP, control, reporting, consideration of appeals, accounting for preferential categories and organization of transportation;
  • payment services, banks, acquirers and other participants in the payment infrastructure – for accepting and confirming payments;
  • technical contractors, providers of hosting, cloud infrastructure, cybersecurity, support, analytics, crash reporting and push notifications – to ensure the operation and security of the application/site;
  • to transport system operators, carriers or controllers – to the extent necessary to confirm the right to travel, record transport transactions or resolve service issues;
  • to competent state authorities – only in cases, in the manner and to the extent provided for by law;
  • to other persons – with the user’s consent or if it is necessary to protect the rights, safety or legitimate interests of users, the data controller, LLC “CITY CARD SYSTEM-ZHYTOMYR” or third parties.

In the case of using third-party SDKs or libraries, the actual categories of data that they collect or transmit must be verified by the developer and reflected in the Google Play Data Safety section.

6. Secure data processing and protection
“CITY CARD SYSTEM-ZHYTOMYR” LLC applies organizational and technical measures to protect personal and sensitive data to which it has access within the technical support of the CityCard service.

Such measures may include:

  • data transmission via secure communication channels using modern encryption protocols;
  • restriction of access to personal data only to employees, contractors or services that require such access to perform official or contractual tasks;
  • user authentication and account access control;
  • technical event logging, error and suspicious activity monitoring;
  • regular updates of software components, server infrastructure and security tools;
  • backup and service recovery procedures;
  • contractual obligations of contractors regarding confidentiality and proper data protection.

No method of data transmission or storage can be completely secure. In the event of a security incident being detected, “CITY CARD SYSTEM-ZHYTOMYR” LLC takes measures to localize it, eliminate the consequences, and notify the data controller, users, or authorities in cases provided for by law.

7. Data retention periods
Personal data is stored no longer than is necessary for the purposes for which it was collected, or for the period established by law, decisions of the data controller or rules for the functioning of ASOOP.

In particular:

  • account data is stored for the period of use of the account and the period necessary to complete mutual settlements, consider appeals, protect rights or comply with legal requirements;
  • card, top-up and transaction data is stored for the period necessary to provide services, confirm operations, accounting, tax or other mandatory accounting;
  • technical logs, data on errors and security events are stored for the period necessary for diagnostics, security and stability of the service;
  • data on support requests are stored for the period necessary to consider the appeal, confirm the results of its resolution and protect the rights of the parties.

After achieving the purpose of processing or the expiration of the storage period, the data is deleted, depersonalized or archived if their further storage is directly required by law or necessary to protect rights and legitimate interests.

8. Deletion of account and related data
The user may submit a request to delete the CityCard account and related personal data. The request can be submitted: in the mobile application: Menu → Profile → Delete account.

LLC “CITY CARD SYSTEM-ZHYTOMYR” accepts and technically processes such requests within its competence as the operator of the CityCard service. If the execution of the request requires a decision or confirmation of the data controller, the request is transferred or agreed with the Executive Committee of the Zhytomyr City Council.

Upon receipt of the request, confirmation of the user’s identity or account ownership may be required. The data is deleted within a reasonable time after confirmation of the request, except for data that must be temporarily stored to comply with legal requirements, prevent fraud, resolve disputes, for accounting or tax purposes, confirm the fact of payment, or protect the rights of the parties.

If the data has been transferred to service providers, their deletion or restriction of further processing by such providers is initiated within the limits possible and provided for by contracts.

9. User rights

The user has the right to:

  • obtain information about the processing of their personal data;
  • obtain access to their personal data;
  • demand correction of inaccurate or outdated data;
  • demand deletion of data in cases provided for by law and this Policy;
  • demand restriction of data processing in cases provided for by law;
  • withdraw consent to data processing, if the processing is carried out on the basis of consent;
  • object to certain types of processing, if such a possibility is provided for by law;
  • file a complaint with the Commissioner for Human Rights of the Verkhovna Rada of Ukraine or to the court.

To exercise their rights, the user can contact info@citycard.net. If the request concerns data, the decision on which falls within the competence of the Executive Committee of the Zhytomyr City Council as the data controller, LLC “CITY CARD SYSTEM-ZHYTOMYR” transfers the request or provides the user with information for contacting the relevant controller.

10. Third-party services, SDKs and links
The application/site may use third-party technical services, libraries or SDKs for payments, analytics, crash reporting, push notifications, hosting, cybersecurity and application support. Such services may process technical data, device identifiers, error data, push tokens or other data within the scope of their function.

The application or site may contain links to third-party resources. LLC “CITY CARD SYSTEM-ZHYTOMYR” does not control the privacy policies of such resources if they are not owned or operated by it.

11. Data of children and preferential categories
The CityCard application is not specifically intended for children as the main audience. At the same time, the electronic ticket service can be used by pupils, students or other preferential categories in accordance with the legislation and decisions of local governments.

The data necessary to confirm the preferential status or type of card are processed only to the extent necessary to provide the relevant service, comply with the requirements of the legislation and decisions of the data controller. If additional documents or information are required to issue a preferential electronic ticket, such data should be collected in the minimum necessary volume and used only for the relevant purpose.

12. International data transfer
In the case of using cloud services, analytics services, crash reporting, push notifications or other technical contractors, personal or technical data may be processed outside of Ukraine. In such a case, the transfer is carried out only if there are appropriate legal grounds and data protection measures in accordance with applicable law and agreements with such providers.

13. Changes to the Policy
This Policy may be updated in the event of changes to the functions of the application/site, data processing practices, legal requirements, agreements on the functioning of ASOOP or Google Play rules. The current version of the Policy is published on the citycard.net website and, where possible, is available from the mobile application.

If the changes significantly affect the user’s rights or data processing methods, users may be notified via the application, website or other available communication channels.

14. Contact information

For questions about privacy, access to data or withdrawal of consent, the user can contact:

  • CityCard service e-mail: info@citycard.net;
  • address of LLC “CITY CARD SYSTEM-ZHYTOMYR”: 10031, Zhytomyr, Pokrovska St., 159/68;
  • support phone: +380 332 74 11 00 or other current numbers specified on the citycard.net website;
  • data controller ASOOP: Executive Committee of the Zhytomyr City Council, 10014, Zhytomyr region, Zhytomyr city, S. P. Korolev Square, 4/2.