This document describes how we collect and use the data concerning the use of our services. We keep it simple and easy to understand, as our company has been built on openness and our services on trust. Here you will also find our contact information in case you would need any further assistance. If you are a Rydoo user, or just browsing our website, this policy will be applicable to you.

Introduction

At Rydoo, we understand the needs of privacy and safety. We consider our user’s trust as one of our most valuable assets. Therefore, we want to ensure your data is safe with us.

Rydoo N.V. and Rydoo Sp.Zo.o and their local subsidiaries provide business process outsourcing services in the areas of travel and expense management using modern technology solutions.

Our expense management services allow the client to capture, track and store his business expenditure receipts, as well as to generate and submit for approval the expense reports derived from those receipts, which are uploaded via either web, e-mail and/or mobile applications.

This policy applies to all the platforms you can use to get access to our services and all the data we collect using those platforms.

This policy may change when the applicable legislation changes or if we decide to extend our services. Please visit this page regularly to be kept up to date.

If you do not agree with this Privacy Policy, we kindly advise you to not use or stop using our services.

What kind of information do we collect?

Information provided by you or your employer

Depending on the services you or your employer have selected, we collect some specific information about you:

  • For our expense management services we need your identification data (name, professional email, and information about those expenses that may help your employer reimburse them – which may include bank account number, the scanned receipt, credit card statements, etc.).
  • We collect data on behalf of your employer (acting as the data processor), but we also collect data in our name, to improve our services, protect our networks from attacks or intrusions, think of new features which may be useful for you, etc. (In such cases, we are acting as the data controller).
Read more

If you can book accommodation, flight or rail tickets using Rydoo, the supplier (the transportation or accommodation provider) will need to know certain things about you to process your booking and deliver its services, like your first name, last name, ID document number, contact details, other travelers’ data; sometimes your date of birth.

The use of our services does not require users to fill in or upload sensitive personal data. To avoid unnecessary exposure, we ask you to make sure that sensitive personal data are not filled in or uploaded to your account (intentionally or accidentally) in any form as photos, notes or other if it is not necessary. Required personal data are normally limited to name, email address and information about the corresponding expenses or trips being managed by Rydoo. However, the Client (your employer) may require additional data.

If you can book accommodation, flight or rail tickets using Rydoo, the supplier (the transportation or accommodation provider) will need to know certain things about you to process your booking and deliver its services, like your first name, last name, ID document number, contact details, other travelers’ data; sometimes your date of birth.

The use of our services does not require users to fill in or upload sensitive personal data. To avoid unnecessary exposure, we ask you to make sure that sensitive personal data are not filled in or uploaded to your account (intentionally or accidentally) in any form as photos, notes or other if it is not necessary. Required personal data are normally limited to name, email address and information about the corresponding expenses or trips being managed by Rydoo. However, the Client (your employer) may require additional data.

 

Information we collect automatically when you use our services

When you use our services, we also collect certain information automatically like your IP address, browser type and version or mobile device data and local settings, e.g. language; activity on our website, including the pages you visited and searches you made.

 

Information from other sources

If you use a third-party payment provider, if you link your profile with social media or instant messaging profile or if you use our platform via third party integrated software, we can collect information from those sources.

All our accommodation and transport services providers may also share with us information about you and your trip.

 

Refer a friend

In case we would enable a refer-a-friend functionality, you must always seek your friend’s consent to our use of your friend’s name and e-mail address to contact them about our services. By providing us with your friend’s name and email address, you warrant that your friend consents to such contact.

 

What is the purpose of data collection?

Summary:  We need to see if you (or your company/employer) would be interested into getting our products (legal basis: Legitimate Interest).  (We only process some of this data if you agree to it beforehand – Legal basis: Consent).

In addition, we process some data on behalf of your employer so we can provide you with our services and your employer can fulfill its obligations. (Legal Basis: The performance of a contract).

Read more

We also need our users and travelers’ data to provide our services to them: searching for hotels and rates available, booking rooms or tickets, managing expenses, creating and transmitting expense reports or any other service we provide and to improve our services for our clients. (Legal Basis: the performance of a contract / Legitimate Interest)

We also use your contact information to inform you about any changes to trip itineraries, any actions waiting for you in the system or any new features and services available. (Legal Basis: the performance of a contract)

How long do we store your data?

Summary: Personal data is gathered for a specific purpose and stored also for a specific purpose. The overall rule we apply is that we will delete all the data within 6 months after the end of the year when the data is no longer needed for any purpose. You can find out more about the specific categories in the Data retention section.

Read more

Please be aware that there are various purposes for which we gather and later process your personal data. We take into consideration all those purposes and have defined a data retention period for each category of the personal data (you can see more information here in this table)

We have a deadline of 6 months after the end of the year of termination of the purpose, because even though we regularly archive the data that is not needed anymore from our system, this deleted data may stay in the system or the infrastructure logs and backups. These logs and backups are deleted within a period of 6 months.

With whom do we share your data?

Summary: We share the data you submit to us with our other business entities so our teams (in France, Belgium, Portugal, Brazil, or Poland) can get in contact with you and sell you our products and support our customers and users.  We also rely on some of our suppliers to provide our services, you can find out more here.

Rydoo also may provide you access to multiple different service providers through its platforms (e.g. hotels, airlines, rail companies, financial institutions). We need to share your data with them to help you manage your expenses or your trip bookings.

Read more

We may share your information with any other company within our group for the purposes stated in this privacy policy. We may also share it with carefully selected partners, hired consultants or vendors working on our behalf, in line with EU regulations.

Of course, we might have to share the information with the competent authorities if the applicable legislation requires us to do so. Please keep in mind that we will always try to protect your rights.

Our website(s) and/or web and mobile application include links to third party sites. Rydoo does not control these third-party sites, and we encourage you to read the privacy policy of every site you visit.

Where is your personal data processed?

We mainly process your personal data within the European Economic Area (EEA). Being the data processor, Rydoo relies on a limited number of sub-processors to perform well-defined elements of its services. Some of these sub-processors may be located outside of the EEA. They have been selected carefully and all have adequate privacy guarantees in place. To read more about these please see our Subprocessors section.

How we secure the Data

Summary: We use appropriate technical and operational measures (e.g. data encryption, security audits, hashing, etc.) to secure information collected by Rydoo. We are ISO 27001 certified, you can read more about it here.

Read more

When providing our services, we only engage subcontractors, parent or subsidiary companies which adhere to equivalent rules on the protection of personal data in line with EU regulations. You can read more information about it here.

Children’s personal data

Rydoo services are meant to be used only by adult users (over 18 years old). Underage persons’ data collected by an employer will be collected only with parents / legal guardians’ permission (as it is the employer’s responsibility to obtain).

Who is responsible for data processing?

As part of the business unit Sodexo Travel & Expense:

  1. Rydoo Sp.zo.o., al. Jerozolimskie 180, 02-486 Warsaw, Poland
  2. Rydoo NV, Hendrik Consciencestraat, 40/42 2800 Mechelen, Belgium

 

Data Protection Officer

We have appointed a Data Protection Officer: Anne-Cécile Colas

in case of any request related to data privacy you might reach our DPO or local point of contact by e-mail: [email protected].

What we will do if there is an update to this policy

From time to time, we may change our privacy practices. We will notify you of any changes to this Policy as required by law. We will also post an updated copy on our website. It will have a different date and version number from the one set out below. Please check our site periodically for updates.

Significant changes will be communicated to your company admin or through an email.

Data retention schedule for our application users

Data Category Explanation Retention period
Identification data
PII Name, login, title, email address, IDs assigned by the controller. Account deactivation + 10 years
Contact data Address (work and home), other addresses, telephone number (work and home). Data deleted, account deactivated or requested to stop processing/delete data
Identification information assigned by government institutions ID card number, passport number, drivers license number, license plate number, etc. Data deleted, account deactivated or requested to stop processing/delete data
Electronic identification data IP addresses, cookies, connection moments, etc. Account deactivation + 10 years
Electronic localization data Cell tower data, GPS data, etc. Account deactivation or consent withdrawn
Special financial data
Financial transactions Amounts paid and payable by the data subject, awarded credit lines, sureties, payment method, payment overview, deposits and other guarantees. Moment of transaction related invoice payment recognized + 10 years
Personal characteristics
Personal details Age, sex, date of birth, place of birth, nationality. Data deleted, account deactivated or requested to stop processing/delete data
Habits
Travel details Information regarding business travel habits and preferences Data deleted, account deactivated or requested to stop processing/delete data
Leisure pursuits and interests
Leisure activities and interests Hobbies, sports, other interests. Data deleted, account deactivated or requested to stop processing/delete data
Memberships
Memberships (other than professional, political, or in trade unions) – only if required to manage business travel or expenses Memberships in loyalty programs, organizations, clubs, partnerships, unions, groups, etc. – if used for business travel management or expense management. Account deactivation + 10 years
Consumption habits
Travel data Details regarding the goods and services provided to the data subject. Moment of transaction related invoice payment recognized + 10 years
Business expense data Details regarding the goods and services reported as expenses by the data subject. Contract end
Application usage Details regarding usage of the application by the data subject. Account deactivation
Requests, complaints, incidents or accidents Information regarding a request, accident, incident, or complaint in which the data subject is involved, the nature of the request, damage, involved persons, witnesses. Closing the case + 10 years
Profession and employment
Current employment Employer, title and role description, seniority, work location, specialization or company type, work modes and conditions. Account deactivation + 10 years
Photographs recordings
Images Camera recording, photographic recording, digital photos or scans of receipts uploaded, etc. Data deleted, Contract end, Request to delete data / stop processing
Sound recordings
Sound recordings Phone recordings regarding requests or issues, etc. Closing the case + 10 years
Electronic activity logs
Application and infrastructure logs Logs of user actions and technical requests registered Account deactivation
Users login logs Recorded user login attempts Account deactivation + 10 years

Your rights

Summary: You have a right to review the information we collect about you. It is available in your profile (so you can rectify it if needed) and you can always ask for access, deletion, ask us to rectify it by emailing us or using this form.

You can always contact us if you believe that we are no longer entitled to use your personal data, or if you have any other questions about how your personal information is used. Please email or write to us using the contact details below. We will handle your request in accordance with all applicable EU & national data protection laws.

Contact: [email protected]

Read more

Right of access

You can request access to your Personal data. You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed.

You can request any available information as to the source of the Personal data, and you may also request a copy of your Personal data being processed by us.

 

Right to be forgotten

Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:

  1. the data is no longer necessary;
  2. you choose to withdraw your consent;
  3. you object to the processing of your Personal data by automated means using technical specifications;
  4. your Personal data has been unlawfully processed;
  5. there is a legal obligation to erase your Personal data;
  6. erasure is required to ensure compliance with applicable laws.

 

Right to restriction of processing

You may request that processing of your Personal data be restricted in the cases where:

  1. you contest the accuracy of the Personal data;
  2. we no longer need the Personal data, for the purposes of the processing;
  3. you have objected to processing for legitimate reasons.

 

Right to data portability

You can request, where applicable, the portability of your Personal data that you have provided to us, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another Controller without hindrance from us where:

  1. the processing of your Personal data is based on consent or on a contract; and
  2. the processing is carried out by automated means.

You can also request that your Personal data be transmitted to a third party of your choice (where technically feasible).

 

Right to object to processing for the purposes of direct marketing

You may object (i.e. exercise your right to “opt-out”) to the processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time.

 

Right not to be subject to automated decisions

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect upon you or significantly affects you.

 

Right to lodge a complaint to the competent Supervisory Authority

If you have a privacy-related complaint against us, you should complete and submit the Complaint/Data Subjects’ Request Form or make your complaint by email or by letter in accordance with our Global Complaints/Requests Handling Policy. If you are dissatisfied with our response, you may then seek further recourse by contacting the relevant local Supervisory Authority.

Subprocessors

Rydoo’s Subprocessors

Rydoo uses carefully selected subprocessors (including third parties, as listed below), subcontractors and content delivery networks to assist it in providing the Rydoo Services as described in our Terms and Conditions.

 

What is a Subprocessor?

A subprocessor is a third party data processor engaged by Rydoo, including Rydoo’s sister companies, who has or potentially will have access to or process Client’s Data (which may contain Personal Data). In the following sections we will explain which subprocessors we use and what types of activities they perform. We also mention some of our sub-contractors who in principle do not get access to Personal Data but rarely and incidentally might do so. As a precaution, we have taken the necessary measures and safeguards to make sure that everyone’s personal data is properly taken care of such as signing Data Processing Agreements and EU Standard Contractual Clauses with them.

 

How do we choose a Subprocessor?

We have a careful selection process where we take into consideration the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or otherwise process Personal Data. We will not select any subprocessor that cannot guarantee to provide the very same level of Data Protection as Rydoo.

 

Contractual Safeguards

All of our sub-processors need to comply with equivalent obligations as those required from Rydoo (as a Data Processor) as set forth in Rydoo’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:

  • Only collect, process and use the types of personal data relating to the categories of data subjects for the purposes of providing the Rydoo Services under the Contract and for the specific purposes required in each case.
  • In connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy, confidentiality and security, to the extent applicable, as established in Data Protection Laws.
  • Provide regular training in security and data protection to personnel to whom they grant access to Personal Data.
  • Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Rydoo is contractually committed to adhere to) and provide evidence of compliance with this obligation.
  • Promptly inform Rydoo about any actual or potential security breach.
  • Cooperate with Rydoo in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

What will happen if we engage a new SubProcessor:

Our Clients will be notified of any changes on this page. If the Client has a reasonable objection to any new or replacement Subprocessor, it shall notify Rydoo of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith.

If Rydoo is reasonably able to provide the Rydoo Services to the Client in accordance with the Main Agreement without using the sub-processor and decides in its discretion to do so, then the Client will have no further rights under this provision in respect of the proposed use of the sub-processor. If Rydoo requires use of the Subprocessor in its discretion, it shall seek to satisfy the Client as to the suitability of the Subprocessor or the documentation and protections in place between Rydoo and the Subprocessor in a period not exceeding ninety (90) days from the Cient’s notification of objections.

If the Client does not provide a timely objection to any new or replacement Subprocessor in accordance with this procedure, the Client will be deemed to have consented to the sub-processor and waived its right to object. Rydoo may use a new or replacement Subprocessor whilst the objection procedure in this section is in process.

Termination rights, as applicable and agreed, are set forth exclusively the Contract.

The following is an up-to-date list (as of the date of this policy) of the names and locations of Rydoo’s Subprocessors, subcontractors and content delivery networks:

 

Sub-processor Address Type of assistance
Expense
Microsoft Corporation (Azure SQL databases – EU) Microsoft Corporation
1 Microsoft Way
Redmond, WA 98052-6399
USA
app data storage within the EU (ISO 27001 & ISO 9001)
Godspeed IT Services (India) 143/1 Shri Ram Nivas
Parvati Gaon, Pune-411009
Maharashtra, India
Quality checks of images scanned through OCR sofware
Controlling Services
Infrrd Inc. (USA) Suite 360E, 2001 Gateway Place,
San Jose, CA 95110, USA
Automatic reading of scanned receipts
Veryfi Inc. (USA) 28 E 3rd Ave, Suite 201,
San Mateo, 94401, California, US
Automatic reading of scanned receipts (EU processing)
SendinBlue 7 Rue de Madrid , 75008, Paris, France E-mailing platform used for sending out reminders to approvers/controllers
Intercom R&D Unlimited Company (Ireland) 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Republic of Ireland Product support platform
Travel
Rydoo Sp. z o.o al. Jerozolimskie 180, 02-486 Warsaw, Poland Customer platform support
COIG S.A. ul. Mikołowska 100, 40-065 Katowice, Poland App data storage (ISO 27001 & ISO 9001)
Beyond Sp z o.o. ul. Dziadoszańska 9, 61-248 Poznan, Poland App data storage (ISO 27001)
Lyra Network (Payzen) Rue de l’innovation 109, 31670 Labège, France Credit card operations
PCI Booking Ltd. Unit 7 Coolport, Coolmine Industrial Estate, Blanchardstown, Dublin, D15 HC91, Republic of Ireland PCI DSS Shield
SendinBlue 7 Rue de Madrid , 75008, Paris, France Mailing Service
Systell St. Pultuska 10, 61-052 Poznan, Poland Call center system