Last update: November 14th, 2017 | Versão em português
The UnderLX Team (in Portuguese, "Equipa do UnderLX") ("Team") is a group of people who operate voluntarily, individually and without commercial interests, in the area of Information Technology. The activities of this group have a special focus in the area of Urban Public Transport, thus applying information technology techniques and knowledge to existing Urban Public Transport networks ("PTNs").
The goal of the Team is to improve, through their activity, the user experience of these networks. In addition, this group has no official connection, support or endorsement of any company or entity, including PTN operators.
The Team is responsible by the website perturbacoes.pt ("Website"), as well as by the UnderLX application ("App"), and undertakes to ensure the privacy of any personal data collected and/or transmitted online. The security and privacy of the Website and App user data are central concerns in the Team's activity.
Because we respect the rules regarding privacy and protection of personal and personally identifiable data, we prepared this document, in order to let you know how the information you make available will be taken care of, by the Team and their information systems.
This document is organized in such a way as to answer the following questions:
- What user data is collected?
- When and how do we collect user data?
- Who is responsible by collecting and processing data?
- For how long do we keep the data?
- How is the collected information used?
- What security procedures are associated with the App and the Website, that ensure user data protection against undue access and modification?
- In what way can the users obtain, correct or delete the information they previously made available through the App?
Both the App and the Website avoid collecting data about users without their explicit consent. In this sense, the Website does not collect information about the browser, browsing history or internet connection of the users, except when that is necessary as a means for solving technical problems or limiting access to Abusive users, as defined in the Terms.
None of the information submitted through the App is associated with any personal user data, as this type of data is not collected. The data collected and submitted by the application is associated with a pseudorandom ID. This ID is automatically assigned to each user when the App is installed. Should the user wish to submit data under a different ID, he can do so by reinstalling the App.
The data submitted when using the App depends on the settings the user has selected. Thus, we will describe all types of data users may eventually submit: trip logs, reports of problems in PTNs, and error reports or suggestions about the service provided by the App and the Website.
In terms of trip logs, the following data is collected: stations or stops visited in each trip, the order in which they were visited (that is, the path the user has taken) and the time of entry and exit at each station or stop.
In terms of reports of problems in PTNs, the data submitted matches exactly the data provided by the user in the act of reporting, which may be eventually supplemented by the current user location at the station or stop level.
As explained in the previous answer, the Website does not collect data about the users, except when that is necessary for troubleshooting technical issues or limiting access to Abusive Users.
In these exceptional circumstances, data collection will always be transparent to the user, only occurring in our servers, and only during Website usage. When troubleshooting, data will be discarded at the end of the troubleshooting session. When dealing with Abusive Users, data may be saved in a secure way and never made public, for future reference.
The App only collects data through its interactive use by the user. If, in the App, the background location setting is enabled, the App will also collect data in an automatic fashion, without user intervention, and only when he is using PTNs indicated by the App as supported, and only if the remaining settings and specifications of the device where the App is being executed allow.
The data collected by the App will be submitted along the trip and after its end, or saved for deferred submission, if an internet connection is not available.
The Team is the sole responsible for collecting and processing user data, as submitted by the App.
The individual trip logs and other data related to user location will never be made public, shared or sold to other entities.
Depending on the type of data and its purpose, data is kept for different time periods, from a few seconds to multiple years. Generally, the higher the granularity of the data, the shorter the period for which they will be kept. At this moment, trip logs are kept for an infinite amount of time; this situation may change once the requirements and technical procedures allow.
Cookies are small pieces of information sent by Web servers, that are stored in the browser of the visitors, and are then sent by the browser at a later time, when accessing the websites that sent them.
The Team is not responsible by the cookies produced by external elements, whose sole responsibility is of the associated services.
The collected information serves the following purposes:
- Improving the routing, waiting time and route cost algorithms;
- Allowing more efficient location of the vehicles of the supported PTNs and the more precise calculation of vehicle waiting times;
- Informing App and Website users of possible problems or changes to the services provided by the operators of the supported PTNs;
- Contributing to a global usage record of the supported PTNs, independently of the records eventually published by the operators of these networks;
- Improving the App and its features.
The anonymous data provided by the users will be used exclusively for purposes connected to the service provided by the App and the Website, as well as the production of informative reports, to be published on the Website, through mass data analysis. None of the information provided will be sold, rented or shared with third parties. We will not publish data that can possibly allow for identifying individual users based on their individual public transport usage patterns.
7. What security procedures are associated with the App and the Website, that ensure user data protection against undue access and modification?
The Team takes all the necessary precautions to ensure the data collected through usage of the App and Website, as well as any information extracted from such data, is kept safe and secure during its transmission and storage.
When it comes to Website usage, users access it through a connection that uses the HTTP protocol over the TLS protocol (HTTPS). The latter protocol ensures data is transferred encrypted, such that its confidentiality and integrity is guaranteed, and the authenticity of the server can be verified. This way, the risk of in-transit data interception or manipulation is eliminated.
The Team is committed to maintaining the TLS protocol configuration on their servers updated according to the best international practice.
Communication between the App and the Team's servers happens exclusively over the HTTPS protocol described above, with the same properties and guarantees.
With regards to data protection against undue access and modification, both the Website and the server software that supports the App were designed in such a way as to prevent leakage of the most sensitive data, namely, trip logs.
To submit, access or modify trip logs, problem reports or other data that is associated to an App instance, the App authenticates itself before the server, only gaining access to the data that belongs to that App instance. This authentication uses credentials obtained in a secure way when the app is installed, through a HTTPS connection.
The Team is not responsible for any possible damages resulting from insufficient protection of the devices where the App is installed, that might allow for obtaining or manipulating sensitive information, or the mentioned credentials.
If you have any questions regarding the security of the data, or of the system as a whole, or to report security vulnerabilities, please contact our security team through the email address firstname.lastname@example.org.
8. In what way can the users obtain, correct or delete the information they previously made available through the App?
Currently, the option that allows for deleting trip logs in the App only deletes the information from the App, and not on the App server, so should the user want to delete from the Team's records part or the totality of the information submitted by him, he should do so through the email address email@example.com.
Authorization for Different Uses
Should the Team want to use the user data for purposes different from those initially described in this document, they will ask the users for permission, through the means considered necessary by the Team.
Collected data is anonyous and part of a database. Only the results of the statistical analysis of this data will be published, in such a way as to prevent association of specific sets of data to a single user.