- About Nabogo ApS
Nabogo ApS (‘NG’) collects data to run our business and to provide you with opportunities to reduce traffic waste. We collect both personal data and other information to support these activities.
Please feel free to contact Anders Muusmann on +45 71792244 or at email@example.com if you have any questions about our processing of personal data. See also section 11, where we describe your rights, and section 12, where you will find our other contact details.
- Data controller – NG
Lysholt Allé 8
CVR no.: 39404060
- Personal data
Personal data are any information about an identified or identifiable natural person (the data subject).
The Danish personal data protection legislation makes a distinction between two principal categories of personal data:
- Ordinary personal data such as name, email, address, telephone number, marital status, username, membership number, position, bank account and photo.
- Sensitive personal data such as health data, allergies, political opinions, religious beliefs, trade union membership, citizenship, child certificates and civil registration (CPR) numbers.
As a general rule, we only collect ordinary data, including your name, email address, address, country, your location data, your photo, education and training, workplace, mobile number and bank details.
Our legal basis for processing these personal data is Section 6(1) of the Danish Data Protection Act, see Article 6 of the General Data Protection Regulation, see below.
When you use a mobile device, we also collect and use your Apple Identifier for Advertising (IDFA) and Google Advertising ID (AAID) to recognise your device and for support activities on our services. These numeric values are not permanently connected to your device, and, depending on your operating system, you can reset it via your device settings.
Other data that we collect about you may, for example, be the time you spend on our website etc. These data are not personally identifiable and cannot reveal your identity.
- Purpose, legal basis and categories of personal data
In connection with the provision of our services to you, we process the following data for the below purposes.
Overall, we collect personal data to manage our business and run our services.
5.1. Data that you give us yourself when you create your account
If you create an account with us, we use the data we collect to run our business, advertise and improve our existing Platform, develop new services, and to improve and personalise your experiences when you interact with us.
We also use your personal data to communicate with you, including in connection with a request for technical support, online services, product information or any other communication you initiate. This includes access to your account to meet your request for technical support. We may store the correspondence on this. Your data are also used to manage your personal account and process bookings and ridesharing offers.
Name, email address, password, country, location and mobile phone number, date of birth, education and training, occupation and a description of you as well as bank details are collected on the basis of the performance of a contract, see Section 6(1) of the Danish Data Protection Act, see Article 6(1)(b) of the General Data Protection Regulation, or/and consent in accordance with Section 6(1) of the Danish Data Protection Act, see Article 6(1)(a) of the General Data Protection Regulation.
5.2. Push notifications etc.
5.3. Data collected when using the Platform
When you use the Platform, we automatically collect information, including personal data, data about the services you use and how you use them, data about your exact or approximate location, your IP address, or the GPS of your mobile device. These data are necessary for the adequate performance of the contract between you and us, to enable us to meet our legal obligations and our interest in being able to supply and improve the functionality of the Platform.
Our legal basis for processing these personal data is the performance of a contract with you, see Section 6(1) of the Danish Data Protection Act, see Article 6(1)(b) of the General Data Protection Regulation, and/or consent in accordance with Section 6(1) of the Danish Data Protection Act, see Article 6(1)(a) of the General Data Protection Regulation.
5.4. Location data
We collect location data in several ways:
- From your wireless operator directly from the device on which you use our services.
- The way in which we collect location data differs depending on whether you access our services through a website or a mobile application.
- If you access the services through one of our mobile applications, the way we collect location data will vary depending on the operating system of your mobile device. In any circumstance, we do not collect location data unless you have consented to such collection when asked.
- If you do not permit collection of location data in the app, we do not collect your location data.
Collection of these data ensures relevant functionality, including the possibility of displaying a map or list of nearby pick-up points.
This data collection is done with legal basis in Section 6(1) of the Danish Data Protection Act, see Article 6(1)(a) of the General Data Protection Regulation.
5.5. Contact via social media
When you establish a connection to us via social media, we may collect account details or profile data.
You can choose to activate, log in or log on to the services via Facebook or other networking services (‘Social Networking Services’). When you connect using your accounts on Social Networking Services, we may collect personal data that you have provided to the Social Networking Service. For example, when you sign in with your Facebook ID, we may, with your consent, collect personal data from your Facebook profile allowed under Facebook’s terms and conditions of use, such as your email address. If you do not wish to provide us with these data, you must change your privacy settings on your Social Networking Services account. For more information, please review the information about personal data as well as the terms and conditions on your Social Networking Services account, which control how these account details are collected and shared with us.
If you choose this, you accept that we collect the above data such as your name and email address. This data collection is done with legal basis in Section 6(1) of the Danish Data Protection Act, see Article 6(1)(a) of the General Data Protection Regulation.
5.6. Participation in questionnaires, campaigns etc.
When you participate in surveys, campaigns, competitions and other promotions, questionnaires etc., we collect contact details and demographic data. At your request, we may register you in competitions, programmes and offers, and we may use your data to notify you of offers.
We may sponsor competitions and other promotions, and we may request that you provide personal data such as name, address, email address, telephone number and age, and other information that may be necessary for participation.
If you choose to participate, you accept that we collect the above data such as your name and email address. This data collection is done with legal basis in Section 6(1) of the Danish Data Protection Act, see Article 6(1)(a) of the General Data Protection Regulation.
5.7. Promotional marketing, advertising etc.
If you consent, we may send you promotional notifications, marketing, advertising and other information that may be of interest to you based on your preferences and advertising on social media through social media platforms. This includes competitions and other promotional activities.
You always have the option of asking NG not to send you promotional material or information.
5.8. Correspondence with nabogo and between users
If you correspond with us via email or other digital communication channels such as text messaging, we may store the contents of your messages, your contact details and our replies. We also store copies of the messages you send to other users via nabogo.
We may store data from the user content you send on nabogo. Nabogo has a legitimate interest in processing these personal data to help resolve problems between users or between nabogo and a user, generally improve our customer service, minimise inappropriate content on the Platform or better understand how our users interact with the Platform in order to improve our product. This collection is done with legal basis in Section 6(1) of the Danish Data Protection Act, see Article 6(1)(f) of the General Data Protection Regulation.
5.9. Payment data
Nabogo collects anonymous data linked to your personal payment details stored by a third-party payment service provider. By submitting your payment details, you grant nabogo access to and use of these data to pay for the transaction on your behalf. Our third-party payment service provider also receives your email address for the purpose of helping us link payments to specific nabogo users. The payment service provider also receives information related to your session when the payment was made, including the IP address of your device.
This is used by our payment service provider for the purpose of identifying high-risk and potentially fake payments. If you remove a payment card from the Platform, nabogo retains the right to store the anonymised data that can identify the card with our payment service provider. This is done for the purpose of collecting debt owed to nabogo. If you delete your account with nabogo, we will erase all payment card data within 180 days, provided that there is no outstanding debt for the closed nabogo account. If you delete your nabogo account and have outstanding debt to nabogo, or debt is incurred within 180 days, we will store the payment data until 180 days have passed since the last debt collection was concluded.
Our legal basis for this data collection is Section 6(1) of the Danish Data Protection Act, see Article 6(1)(b) of the General Data Protection Regulation, for the performance of a contract with you or to meet a legal obligation, see Section 6(1) of the Danish Data Protection Act, see Article 6(1)(c) of the General Data Protection Regulation.
When you make purchases through our app via, for example, MobilePay, Visa/Dankort and MasterCard, we will solely store payment data which are not sensitive personal data. The payment service provider is responsible for collecting the payment data (the credit card details) as they are necessary for an adequate performance of the contract with you and to comply with the existing legislation. In this case, our legal basis is Section 6(1) of the Danish Data Protection Act, see Article 6(1)(a), (b) or (f) of the General Data Protection Regulation. However, all exchange of data is generally subject to the condition that collection, registration and disclosure are necessary in the case in question.
- General principles for processing of personal data
The principles for our processing of personal data follow the legislation in force at any time, see Section 5 of the Danish Data Protection Act, see Article 5(1)(a) to (f) of the General Data Protection Regulation. We comply with the principles for processing of personal data, regardless of the type of personal data we process and regardless of the basis on which the data are processed. The processing principles always control how we handle the personal data we receive.
6.1. Lawfulness, fairness and transparency
The collection and processing of personal data must always be lawful.
Personal data are collected and processed in a reasonable manner in relation to the data subject.
Personal data are collected and processed in a transparent manner using recognised digital case management systems, so that our customers and clients having a right to request access at any given time to the personal data we store about them.
6.2. Restriction of collection and processing
The data are collected for expressly stated and lawful purposes and are not processed in a manner that is incompatible with these purposes.
We thus only collect the personal data we need. Unless we have another legal basis for collecting the data, we obtain your consent before we process your personal data for the purposes described above. We will inform you about such a basis and about our legitimate interest in processing your personal data.
6.3. Data minimisation
The data must always be sufficient, relevant and restricted to what is necessary for the purposes for which they are processed. We only process data about you that are relevant and sufficient for the purposes defined above. The purpose of the service determines the type of data that is relevant to us. The same applies to the extent of the personal data we use.
6.4. Data storage restriction
The data are stored in such a way that it is not possible to identify the data subjects for a longer period than necessary for the purposes for which the personal data in question are processed.
However, personal data may be stored for extended periods of time if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the General Data Protection Regulation, subject to appropriate technical and organisational measures being in place, as required by this Regulation, to safeguard the rights and freedoms of the data subject.
6.5. Integrity and confidentiality
Personal data are processed in a manner that ensures appropriate safeguards for the personal data in question, including protection against unauthorised or unlawful processing and from accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Danish Data Protection Agency’s IT security texts form the basis for the considerations and assessments that we have made in accordance with the General Data Protection Regulation regarding general technical and security measures.
Access to personal data is restricted to persons who have a work-related need for access. This entails as few persons as possible, however, with due regard for the operations of the company, as there must concurrently be a sufficient number of employees to ensure the operation of the tasks in question in connection with illness, holidays, change of personnel etc.
Employees who handle personal data have received instruction and training in the process, storage and protection.
All employees use passwords to access PCs and other electronic equipment containing personal data. Only the persons who need access are given a password and then only to the systems the person in question needs to use. Persons who have a password must not disclose it to others or leave it about so that others can see it. Allocated passwords are checked at least once every six months.
Electronic media that are connected to the Internet will have an updated firewall and antivirus system installed.
For connection to WiFi with free access, we will ensure appropriate security measures, with due consideration for the current state of the art within IT technology.
6.6. Risk analysis and assessment
In connection with our case management, we must implement appropriate technical and organisational measures to ensure a level of security that covers the risks that are specifically connected with our processing of personal data.
- Disclosure and transfer of personal data
7.1. Third parties
Your data may be shared within the NG group. This includes sharing of name, email, and mobile number between users to help facilitate bookings when a reservation is made.
We never disclose, sell or exchange your data for marketing purposes to third parties outside the NG group. Data that are disclosed to third parties are only used to provide you with the above services, for example media services and integrations with other mobility service providers (here only data on arrival at specific meeting places are exchanged as well as first name and first letter of surname).
7.2. Data processors
In a number of cases, we entrust the processing of your personal data with our data processors. This is, for example, the case when we let an external supplier host our data, for example via our email system, Mailchimp.
Our data processors only process your personal data in accordance with our instructions, and we always enter into data processing agreements with our data processors. All our data processors are GDPR compliant.
- Transfer to third countries
We do not transfer your personal data to recipients outside the EU and EEA.
- Storage and erasure
As a general rule, we process your personal data for as long as there is an existing customer relationship between you and us, i.e. as long as you have an account with us.
Following a specific assessment, we store personal data for up to five years, depending on the data in question, to meet our obligations under the Danish Anti-Money Laundering Act (Hvidvaskloven), the Danish Limitations Act (Forældelsesloven) etc.
In practice, erasure of personal data means that personal data are irrevocably removed from all storage media – including removable media – so that they cannot be recreated in any way.
We have adopted internal information security rules that contain instructions and measures to protect your personal data from being destroyed, lost or altered, from unauthorised disclosure, and from unauthorised access or knowledge.
We have implemented technical and organisational measures to protect your data from loss, manipulation and unauthorised access. We continuously adjust our security measures in line with technological progress and developments. To make purchases by credit card as secure as possible with us, all data are sent in encrypted form. This means that the data are disclosed via a secure connection and that external parties cannot read your personal data. In connection with purchases made by card, we work with PCP-compliant payment service providers which help us verify directly with your bank that the card is valid for purchases. Our payment service providers process your card details in accordance with the international security standards PCI DSS, developed by the card issuers VISA, MasterCard, Diners, American Express and JCB. This means that your card details are processed with a very high level of security.
- Your rights
In accordance with Chapter 3 of the General Data Protection Regulation, you have a number of rights in relation to our processing of data about you. We have incorporated clear internal guidelines and routines that allow us to comply fully with the requirements of the General Data Protection Regulation regarding your rights.
If you want to exercise your rights, please contact Anders Muusmann, firstname.lastname@example.org & tel. +45 71792244. You can expect a reply to your request without undue delay and no later than one month after we have received it. We may ask you for (additional) documentation that you are who you purport to be to ensure that your private data do not end up in the wrong hands.
11.1. Right of access by the data subject, see Article 15 of the General Data Protection Regulation
You have a right of access to the data we process about you and to a number of other data, see Article 15(1) to (3) of the General Data Protection Regulation. However, you do not have a right of access if such access adversely affects the rights and freedoms of others, see Article 15(4) of the General Data Protection Regulation. Nor do you have a right of access if your interest in the data is regarded as being overridden by public or private interests, see Section 22(1) and (2) of the Danish Data Protection Act.
11.2. Right to rectification, see Article 16 of the General Data Protection Regulation
You have the right to have inaccurate or incorrect data about yourself rectified. However, this requires that the data are, in fact, incorrect and not just a reflection of a subjective or technical assessment.
11.3. Right to erasure (‘right to be forgotten’), see Article 17 of the General Data Protection Regulation
In special circumstances, you have the right to have data about you erased before we are normally required to erase the data.
11.4. Right to restriction of processing, see Article 18 of the General Data Protection Regulation
In certain cases, you have the right to have the processing of your personal data restricted. If you have a right to restriction of processing, we are, in future, only allowed to process the data, with the exception of storage, with your consent, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
11.5. Right to object, Article 21 of the General Data Protection Regulation
In certain cases, you have the right to object to our otherwise lawful processing of your personal data. You may also object to the processing of your data for direct marketing purposes.
11.6. Right to data portability, see Article 20 of the General Data Protection Regulation
In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit those personal data to another controller without hindrance from the controller to which the personal data have been provided.
You can read more about your rights in the Danish Data Protection Agency’s guidance on the rights of data subjects, which you will find at www.datatilsynet.dk.
NG internal records of our processing of personal data.
- Contact details
If you have any questions, comments or wishes about the processing of your personal data, please always feel free to contact us at:
Lysholt Allé 8
CVR no.: 39404060
Telephone: +45 71792244
If you wish to complain about our processing of your personal data, you can lodge a complaint with the Danish Data Protection Agency at the address:
Borgergade 28, 5
1300 Copenhagen K, Denmark
Telephone: +45 33 19 32 00
Fax: +45 33 19 32 18
- Links to further knowledge and tools:
The General Data Protection Regulation: https://eur-lex.europa.eu/legal-content/DA/TXT/?uri=CELEX%3A32016R0679
The Danish Data Protection Act: https://www.retsinformation.dk/Forms/r0710.aspx?id=201319
In the event of a security breach that results in you incurring a high risk of discrimination, ID theft, financial loss of reputation or other significant inconvenience, we will notify you of the security breach as soon as possible.
If cookies and similar technologies are placed on your terminal equipment, your personal data may also be processed, for example data about your IP address. Our legal basis for processing these data is Section 6(1) of the Danish Data Protection Act, see Article 6(1)(f) of the General Data Protection Regulation. Our legitimate interest is that the data are necessary to enable us to compile statistics on our visitors’ use of our websites and to optimise our websites.