Terms & Conditions
Last updated: September 5, 2019
These terms and conditions of sales (the “Terms and Conditions”) are entered into between Rydoo Spółka z ograniczoną odpowiedzialnością, with registered office in Warsaw at Aleje Jerozolimskie 180, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for the capital city of Warsaw, XII Commercial Division of the National Court Register under KRS number 0000769648, NIP 1070029274, REGON 147141554, share capital: 416 415,00 PLN (“Rydoo”) and the client which is a legal entity or an organizational unit of a legal entity that subscribes to Rydoo’s services under the Terms and Conditions (the “Client”), hereunder referred to as the Parties (a Party).
Contract between the Parties is entered into by registering to the T&E Services and accepting the present Terms and Conditions either by (i) accepting these T&Cs electronically while registering to the T&E Solution or (ii) accepting these T&Cs and connected order form in writing – both manners having full legal force.
By accepting these Terms and Conditions, and/or by accessing and using T&E Services Client shall represent and acknowledge to have read, understood, and agreed to be bound by these Terms and Conditions. The person entering into the Contract on behalf of a company or another (legal) entity shall warrant to have the authority to bind such entity and its representatives to the Contract.
All terms defined below beginning with a capital letter are defined as follows:
Contract: means this Terms and Conditions and its appendices (when applicable)
Data: means any data from the Client database upload to the T&E Solution which can be accessed only by Users.
Identifiers: means both the identifier specific to the user (“login”) and the login password (“password”), provided by Rydoo;
T&E Solution: means the software solution in SaaS mode (including updates, upgrades and corrections delivered by Rydoo as part of the Services) made available to the Client which includes the OBT and the Expense Solution modules.
OBT: means T&E Solution module – the self-booking tool or online booking tool.
Personal Data: means any information which directly or indirectly identifies any individual, including by reference to an identifier, such as, without limitation, the name, address, email address, phone number, identification number or an identifier.
Services: refers to the hosting, maintenance and support services provided by Rydoo to the Client in relation with the T&E Solution.
User: means a natural person authorized by the Client to use the T&E Solution and the Services.
Expense Solution: means T&E Solution module allowing individuals and businesses to capture, track and store their business expenditure receipts, as well as to generate and submit for approval expense reports derived from those receipts.
Supplier: third party providing accommodation (eg hotels, motels, apartments, bed & breakfasts), flights, vehicle rental services and any other travel related products and services made available for reservation via T&E Solution.
The purpose of this Contract is to define the conditions under which the Client is authorized to use the T&E Solution and the Services. Any order by the Client is governed by this Contract. These Terms and Conditions supersede any terms and conditions of purchase of the Client and any prior agreements between the Parties on provision of the same Services; any specific clauses in the Contract supersede its general provisions on the same subject.
3. DURATION – TERMINATION
Unless otherwise agreed between the parties, this Contract (including the payment obligations defined in Clause 4 and the order form) comes into force at the date of acceptance of these Terms and Conditions by the Client, for indefinite period. The Contracts that are paid monthly can be terminated upon 1 (one) month prior notice. The Contracts that are pre-paid for 12 (twelve) months can be terminated upon prior notice given at least 1 (one) month before the end of the pre-paid period.
The Contract may be terminated or suspended by Rydoo immediately upon notification if the Client fails to pay any invoice after the due date, in the event of apparent insolvency, or if the Client violates the terms of the Contract.
Upon termination of this Contract, for whatever reason, Rydoo shall revoke any access to the T&E Solution offered to the Client and the Client shall immediately cease any access and use of the T&E Solution and the Services. In addition, Rydoo agrees to provide the Client with a copy of its Data in defined format within a period of one (1) month of the Client’s request.
Termination of this Contract does not affect completion of performance of any bookings made via the T&E Solution and pre-paid by the Client to the Suppliers prior to the termination. Likewise, termination of this Contract does not affect the performance of the Client’s obligations set forth in Clause 4.
4. FINANCIAL CONDITIONS
Access and use of the T&E Solution and the Services are authorized in consideration for the payment of the fees mentioned on the invoices and/or in the Contract.
The fees are exclusive of VAT (and other indirect taxes) and payable via payment card or according to the instructions on the invoice issued by Rydoo, as applicable.
For Contracts that are paid monthly price revisions can be applicable monthly. For Contracts that are pre-paid for 12 (twelve) months price revisions can be applicable upon expiry of the pre-paid period.
At the Client’s request, Rydoo may, during the term of the Contract, provide Additional training and configuration services, which, if applicable, shall be additionally invoiced in accordance with the conditions set out in this Contract.
The Client expressly renounces from any repayment of amounts pre-paid in advance.
In the event of non-payment by the due date, any amount due to Rydoo, and not contested by the Client, shall bear interest at the legal interest rate, from the first business day of delay. Rydoo may likewise request the payment of a lump sum of forty (40) Euros for recovery costs, without prejudice to its right to seek greater compensation if costs actually incurred in this regard exceed the lump sum amount.
Without prejudice to the preceding and without any prejudice to the payment obligation of the Client(s), each protest must be communicated within a period of 8 (eight) calendar days as of the invoice date by a motivated registered letter. After this period, the Client shall be deemed to have definitively accepted the invoiced amount.
5. T&E SOLUTION
5.1 Access and use of the T&E Solution
The Client may access and use the T&E Solution 24 hours a day, 7 days a week, subject to maintenance periods.
The T&E Solution can be accessed from (i) any compatible devices of the Client (computers, mobiles or tablets) and (ii) using the identifiers provided to the Client by Rydoo. The identifiers are intended to restrict access to the T&E Solution by the Client and the Users, to protect the integrity and availability of the T&E Solution, as well as the integrity, availability and confidentiality of any Data. The identifiers are personal and confidential. The Client agrees to take any necessary measures to keep its identifiers confidential and not to disclose them in any form whatsoever.
Rydoo shall not be held responsible for any damages resulting from any loss or breach of confidentiality with regard to the identifiers assigned to the Client and its Users.
5.2 Intellectual Property Rights
The T&E Solution, as well as all its components (such as trademarks, logos, computer programs, graphics, images, texts) are the exclusive property of Rydoo or have been granted to it. This Contract does not imply any assignment of intellectual property rights of any kind on any elements belonging to Rydoo.
Rydoo grants the Client a personal, non-exclusive, non-assignable, non-transferable right to use the T&E Solution for the duration of this Contract for its Users on a worldwide basis and the sole purpose of the Client’s internal needs. The Client shall use the T&E Solution and shall authorize access to it by the Users in accordance with its requirements, any documentation provided and the present Terms and Conditions.
The Client may not in any case transfer, delegate or allow a third party to make use of its right to use the T&E Solution and is strictly prohibited from any other use. In particular, the Client is not permitted to make any copy, correction, adaptation, modification, translation, arrangement, distribution, decompilation, alteration, and more generally, any change to all or part of the T&E Solution. Nor may it permanently or temporarily reproduce all or part of the T&E Solution by any means and in any form.
The Client shall provide Rydoo with any information required for the performance of the Services.
Rydoo provides the following Services to the Client:
– Provision and maintenance of the T&E Solution: Rydoo shall implement from time to time upgrades, updates and new versions of the T&E Solution. Any new versions might include any modifications or deletions of existing features and/or new features or capacities.
– Technical support for T&E Solution: Technical issues and requests can be reported by the in-app chat tool from Monday to Friday from 09.00 to 18.00 Central European Time (excluding public holidays).
– Traveller support services: Support is available in French and English from Monday to Friday from 09.00 to 18.00 CET time (excluding public holidays). Outside of those hours or during weekends and public holidays the emergency support is provided in English. Provision of those services shall be invoiced in accordance with the applicable pricing.
– Additional Training and configuration services: at the Client’s request, Rydoo may, during the term of the Contract, provide additional services, which shall be invoiced in accordance with the applicable pricing.
The Client acknowledges that T&E Solution is an ancillary SaaS platform and Rydoo is not engaged in provision of any accounting, accommodation or transportation services that may be enabled by and/or available to the Client through his own use of T&E Solution modules..
For the purposes of this Contract, “Confidential Information” means all confidential and proprietary information of a Party disclosed to the other Party, whether orally or in writing, that is clearly identified in writing or verbally at the time of disclosure as confidential. It includes Rydoo’s documentation, the Data and information related to T&E Solution, whether or not marked as confidential or proprietary.
Each Party agrees not to use or reproduce the Confidential Information of the other Party for purposes other than for the requirements of the Contract and not to disclose or transfer the Confidential Information of the other Party to any third parties without its prior written consent.
Notwithstanding the foregoing, Confidential Information can be disclosed by the other Party to its employees, officers and consultants as well as to employees, officers and consultants of its subsidiaries or authorised subcontractors solely for the purposes of performance of the Contract, and provided that such individuals are duly informed of the confidential nature of the information, and that they are bound by confidentiality undertakings similar to those set forth in this clause.
These confidentiality obligations do not apply to Confidential Information that is:
– entered into the public domain prior to disclosure or thereafter without being in breach of this clause;
– known prior to its disclosure by the disclosing party;
– received from a third party lawfully;
– developed independently by the recipient Party.
These confidentiality obligations shall continue to have effect for a period of three (3) years following the expiry or termination of the Contract.
8. PERSONAL DATA
For the purpose of this Contract, Rydoo will access to the Users’ Personal Data and will process them on behalf of the Client, in its quality of Data Processor, in accordance with the Data Protection Laws.
The Client shall be solely responsible for the use of the T&E Solution by the Users.
The liability of each Party shall be limited to direct damages caused to the other Party. Neither Party shall be held liable for any indirect damages or any loss of data, loss of income, loss of profits, loss of opportunity or loss of customers or damage to the image arising from or relating from this Contract regardless of whether such persons were advised of the possibility of such losses or damages or such losses or damages were otherwise foreseeable. Under no circumstances shall Rydoo be liable for any loss or damage caused by the reliance of the Client on any information, statements or reports obtained using the T&E Solution. Rydoo shall not be liable for any damages caused by the failure of the Client to provide information, documents or files required to implement the T&E Solution, as well as any data errors provided by any third party or by the Client.
In any event, Rydoo’s liability shall not exceed an amount equivalent to the subscription fees received by Rydoo during the twelve (12) months preceding the occurrence of the damage invoked by the Client, except in case of wilful misconduct or gross negligence.
In any event, Rydoo may be exempted from all or part of its liability insofar as the non-performance or improper performance of the Contract is attributable to the unforeseeable and insurmountable act of a third party unconnected with the provision of services under the Contract, or to a force majeure event. Events of force majeure include strikes or social conflicts, the freezing of all means of transport or supply, earthquakes, fires, storms, floods, power outages, wars, attacks, riots, political instabilities, breakdowns of telecommunications as well as all other events of force majeure.
10. APPLICABLE LAW AND COMPETENT JURISDICTION
This Contract is governed and interpreted in accordance with French law. Any dispute which may arise with regard to the validity, interpretation, performance, termination, as well as the consequences of this Contract, must be submitted to the Paris Commercial Court, regardless of the place of performance of the Contract or of the domicile of the defendant, notwithstanding plurality of defendants or impleading of third parties, even for emergency proceedings or protective proceedings.
10-A. Rydoo’s contracting entity
Rydoo’s entity entering into the Contract depend on the information stated in the particular Order Form, which may be either of the following:
- Rydoo NV, company registered under number BE0835424277 with registered address at Hendrik Consciencestraat 40/42, 2800 Mechelen, Belgium.
- Rydoo SASU company registered under number 531089167, (SIRET: 53108916700039) with registered address at 26-34 Cours de l’île Seguin – Tour Horizons, 92100 Boulogne-Billancourt, France.
- Rydoo Inc. company registered under number 5628294, (EIN: 47-2255846) with registered address at 222 Broadway 19th Floor, NYC, NY 10038, United States
For the avoidance of doubt, in the absence of an Order Form, the Contract is entered into by Rydoo Sp.z.o.o. as detailed in the introductory part of these Terms and Conditions.
No other provisions are modified as a result of this Clause.
Changes to the Terms and Conditions will be made by Rydoo by publishing the updated version of Terms and Conditions on its website www.rydoo.com. The amended Terms and Conditions will come into force five (5) days after their publication on this site and binding upon the Client, if he continues using T&E Services after this 5-day period. Amendments done pursuant to an evolution of applicable law or regulation will come into force as from the publication date on the site.
The Client acknowledges and agrees that Rydoo might use its name, logo and other (registered and unregistered) trademarks for marketing purposes (among others to display it on the Rydoo website and in marketing materials). In the event that the Client wishes to withdraw this consent, Rydoo shall cease the use of the aforementioned trademarks within 30 days.
The client acknowledges and agrees that during the term of the Contract Rydoo may contact the Client for the purposes of obtaining testimonials, case studies, interviews and other relevant marketing materials.
The Contract is entered into intuitu personae. Neither party shall be entitled to assign, transfer or relinquish in any way its rights and obligations arising from the Contract in favour of a third party without the prior written consent of the other party which should not be unreasonably withheld. Nevertheless, Rydoo, upon 30 days written notice to the Client, shall be entitled to assign this Contract to its affiliates or group companies. The Client acknowledges that the Rydoo brand is represented and T&E Solution is operated by sister companies – Rydoo NV, having its registered address at Hendrik Consciencestraat 40/42, 2800 Mechelen, Belgium, and Rydoo Spółka z ograniczoną odpowiedzialnością, with registered office in Warsaw at Aleje Jerozolimskie 180, Poland – whereas both these entities can provide and/or bill the Services to the Client at discretion of Rydoo, which is agreed by the Client.
The Client agrees than any previous Non-Disclosure Agreement entered into between the Parties shall be governed by the provisions contained herein, in accordance with Clause 7.
The fact that one of the Parties did not exercise any of its rights in a timely manner, or did not exercise them at all, shall not be presumed to operate as a waiver of such rights, whether in relation to a past or future fact.
At Rydoo, we understand the needs of privacy and safety. We consider our travelers’ trust as one of our most valuable assets. Therefore, we want to do the utmost for your data to ensure it’s safe with us.
This document describes how we collect and use the data concerning the use of our services. We keep it simple and easy to understand, as our company has been built on openness and our services on trust. Here you will also find our contact information in case you would need any further assistance.
Rydoo N.V. and Rydoo Sp.Zo.o and their local subsidiaries provide business process outsourcing services in the areas of travel and expense management using modern technology solutions.
Our expense management services allow the client to capture, track and store his business expenditure receipts, as well as to generate and submit for approval the expense reports derived from those receipts, which are uploaded via either web, e-mail and/or mobile applications.
Our travel management services allow the client to use our web pages, mobile applications, call center, integrated partner applications, instant messaging and social media platforms. This policy applies to all the platforms you can use to get access to our services and all the data we collect using those platforms.
This policy may change when the applicable legislation changes or if we decide to extend our services. Please visit this page regularly to be kept up-to-date.
What kind of information we collect
Information provided by you or your employer
Depending on the services you or your employer has selected, we collect some specific information about you.
To provide you with the best available accommodation, flight or rail ticket we need to know certain things about you, like your first name, last name, ID document number, contact details, other travelers’ data; sometimes also your date of birth can be asked, in order to process the booking.
In order to perform our expense management services, we may also receive and store the following information about you: your bank account number, scanned expense receipts and credit card statements, which may include personal data such as name, address and bank account information.
Use of our services does not always require users to fill in or upload sensitive personal data. In order to avoid unnecessary exposure, we ask you to make sure that sensitive personal data are not filled in or uploaded to your account (intentionally or accidentally) in any form as photos, notes or other if it is not necessary.
Information we collect automatically when you use our services
When you use our services we also collect certain information automatically like your IP address, browser type and version or mobile device data and local settings, e.g. language; activity on our website, including the pages you visited and searches you made.
Information from other sources
If you use a third party payment provider, if you link your profile with social media or instant messaging profile or if you use our platform via third party integrated software we can collect information from those sources.
All our accommodation and transport services providers may also share with us information about you and your trip.
Refer a friend
In case we would enable a refer-a-friend functionality, you must always seek your friend’s consent to our use of your friend’s name and e-mail address to contact them about our services. By providing us with your friend’s name and email address, you warrant that your friend consents to such contact.
What is the purpose of data collection
We need our users and travelers’ data to provide our services to them: searching for hotels and rates available, booking rooms or tickets, managing expenses, creating and transmitting expense reports or any other service we provide and to improve our services for our clients.
We also use your contact information to inform you about any changes to trip itineraries, any actions waiting for you in the system or any new features and services available.
How long do we store your data
Personal data is gathered for a specific purpose and stored also for a specific purpose. The overall rule we apply is that we will delete all the data within 6 months after the end of the year when the data is no longer needed for any purpose.
Please be aware that there are various purposes for which we gather and later process your personal data. We take into consideration all those purposes and have defined a data retention period for each category of the personal data.
Why do we put the deadline on 6 months after the end of the year of termination of the purpose? Because, even though we regularly delete the data that is not needed anymore from our system, this deleted data may stay in the system or the infrastructure logs and backups. These logs and backups are deleted within a period of 6 months.
With whom do we share your data
Rydoo provides users with the platform that gives you access to multiple different service providers e.g. hotels, airlines, rail companies, financial institutions. We need to share your data with them for the purpose of managing your expenses or your trip bookings.
Of course, we might have to share the information with the competent authorities if the applicable legislation so requires.
Where is your personal data processed
We mainly process your personal data within the European Economic Area (EEA). Being the data processor, Rydoo relies on a limited number of sub-processors to perform well-defined elements of its services. Some of these sub-processors may be located outside of the EEA. They have been selected carefully and all have adequate privacy guarantees in place.
How we secure the data
We use appropriate technical and operational measures (e.g. data encryption, security audits,, hashing, etc.) to secure information collected by Rydoo to be compliant with all applicable regulations regarding personal data protection and our contractual obligations. We built our information security based on the ISO 27001 standard.
When providing our services, we only engage subcontractors, parent or subsidiary companies which adhere to equivalent rules on the protection of personal data in line with EU regulations.
Personal data of a child
Rydoo services are meant to be used by adult users. Underage persons’ data will be collected only with parents / legal guardians’ permission.
You have a right to review the information we collect about you. It is available in your profile and you can always ask for a proper data record by emailing us or using this form.
You can always contact us if you believe that we are no longer entitled to use your personal data, or if you have any other questions about how your personal information is used. Please email or write to us using the contact details below. We will handle your request in accordance with all applicable EU & national data protection laws.
Contact: [email protected]
Who is responsible for data processing
As part of the business unit Sodexo Travel & Expense:
1. Rydoo Sp.ZO.O., al. Jerozolimskie 180, 02-486 Warsaw, Poland
2. Rydoo NV, Hendrik Consciencestraat, 40/42 2800 Mechelen, Belgium
Data Protection Officer
We have appointed a Data Protection Officer: Anne-Cécile Colas
in case of any request related to data privacy you might reach our DPO or local point of contact by e-mail: [email protected].
What we will do if there is an update to this policy
From time to time we may change our privacy practices. We will notify you of any changes to this Policy as required by law. We will also post an updated copy on our website. It will have a different date and version number from the one set out below. Please check our site periodically for updates.
Information you provide us or your employer provides us
Rydoo needs a set of data to perform their services for you i.e. your first name, last name, e-mail address, sometimes date of birth, and payment methods. We also encourage you to provide us with contact details, document details, loyalty cards and the information about your special rates and benefit programs you want to use, as well as your trip preferences.
According to the contract between Rydoo and your employer or travel management company (TMC) that serves you, your employer or a TMC can provide part or all of this information.
Information collected automatically
All contacts with Rydoo’s platform or with its Customer Service via phone, e-mail, chat, messaging platform or any other channel will be a source of information about you and your preferences. We collect all the communication between you and Rydoo as well as automatically registered data about your contacts with the Rydoo platform and services like IP address, web browser used, device used, and localisation or language settings, third party applications you use to contact us.
For the purpose of administration and maintenance works, we collect logs of operations on the Rydoo platform especially all incidents and technical errors that might occur. We might also use collected user operations data to prevent fraud and misuse of our services.
We might also ask you for an opinion about our services or your trip to help us understand your needs and provide better services for you and other our clients.
Information collected from other sources
We receive personal data about you from business partners that distribute our services by way of a co-branded or private-labeled website, business partners that offer their products and/or services via our services, or business partners that provide services in connection with our services (e.g. payment processing services).
Rydoo services are available through our own platforms and applications and through integrated third party software web pages, online booking tools, instant messaging systems, social media platforms. We will collect information about travellers and users provided by integrated third party software to perform and improve our services.
Rydoo is also integrated with multiple services providers, with hotels, airlines, travel management companies, rail operators, financial institutions, security services etc. Those third parties take part in whole trip management service and share the data about the trip with the Rydoo platform, which manages it all.
Purpose of data processing
We use the information collected about users and travellers for providing and improving the travel management services we offer. We can use it for:
1. Booking trips: this is the most important reason for collecting your data when you are using the travel module. It is necessary to properly search for, book and later on manage your trip (book hotel, issue air or rail ticket). This is our core business and purpose. Additionally we offer other services of our partners connected with travelling i.e. fulfilling payments, providing additional support, monitoring your safety.
2. Managing expenses: this is the main reason for the collection of your data when you are using our expense management module. It is necessary to recognize your expenses, letting you report them and allow the system to reimburse them.
3. Customer service: we offer you 24/7 support in multiple languages. Availability of your data is necessary to help you if you need it. We can provide various support services such as helping you with the booking, resolving issues with the Rydoo platform, supporting you in communication with hotel etc.
4. Providing user access: the Rydoo platform and applications requires proper authentication and authorization. Your data is used to manage the user account on our platform. Using the account, you can manage your reservations, set up your profile, manage your company or TMC and use all other features of the system.
5. Marketing: we use your data for marketing and training purposes:
a. We use contact data to send information about products and services.
b. We use collected data to personalise search results in the Rydoo platform and applications and to recognize you when you visit or return to our website, so we can show you ads or other content tailored to your preferences;
c. In case of participations in any promotion events and loyalty programs, we use your data to manage those events.
6. Communication with users and travellers: we might contact you using phone, e-mail, SMS or an instant messaging platform. We collect the communication between you and us and we will use your data to:
a. Recognize you when you contact us or enter the Rydoo platform or application
b. Solve all the issues raised by you or services providers
c. Notify and remind you about all the tasks and actions you might be interested on the platform.
d. Ask you for an opinion.
e. Send you vouchers, trip itineraries, summaries of your trips.
f. Send you important alert.
7. Market analysis: We can use anonymized data for the analysis of the market. Non-anonymized data or opinions can be collected only if you will agree.
8. Misuse detection: Data collected allows us to monitor user behaviour and detect misuse of our services or applications, frauds and other potentially dangerous actions.
9. Service improvement: Data analysis is used to improve our services, to understand our client needs, negotiating with our providers, improving usability of our applications and eliminating problems and issues.
10. Service monitoring: All technical components of the Rydoo platform and integrated applications collect user operations logs, errors and technical alerts for the purpose of system administration and maintenance.
11. Legal needs: if some cases your data can be used to solve any legal dispute or administrative proceeding.
We collect and process your personal data based on:
1. Contractual obligations: using your data is necessary to fulfil contract between you and us or between your employer and us.
2. Legitimate interest: we can use your data to provide you with the best available travel and expense services: personalised application, messages and search results, providing you proper help and product and training information, for administrations and maintenance purposes, fraud detection and for legal reasons.
3. Your permission: we can ask you for a permission to use your data for special marketing purposes. You can revoke such a permission any time by contacting us.
With whom we can share your data
We share the information we collect about you according to the purpose of data collection.
Solely for purposes of service level assurance we may use third party providers (e.g. our hotel, airline, railway providers, financial institutions, etc.) – who supply us with their specialized service.
In the framework of their service provision, our partners may process application and personal data, but they can never get or link it to any customer details which are not included in those items. We may cooperate with our partners based within or outside the EU, however, all of them without any exception have appropriate technical and organizational measures in place to protect your personal data and they have provided us with adequate contractual guarantees in this regard.
Data shared to manage business travel
For managing your business travel, we may share your data with:
1. Travel services providers we use to organize your trip that can include hotels, airlines, global distribution systems where we book your trip, travel management companies issuing your tickets, but also security agencies that cares about yours safety.
2. Payment operators and other financial services providers to organize all the payments for the services ordered by you. We will share with them only the set of data required to fulfil the service. We can also share additional data in case it is necessary to prevent or detect a fraud or theft.
3. Your employer or an organization that organizes your trip using our services. We report your business trips to your employer, or if you are a guest of a company or client of the travel agency, we will report the data back to them.
4. Other Rydoo entities that provide services or process the data on our behalf, as we centralize our operations.
Data shared to manage expenses
For managing your expenses, we may share your data with:
1. Our Optical Character Recognition (OCR) service provider we use to process electronic images of the receipts and other documents you might upload, and only those images.
2. Your employer or an organization that manages your expenses using our services. We report your expenses to your employer, or if you are a guest to your host our client, we will report the data back to them.
3. Other Rydoo entities that provide services or process the data on our behalf, as we centralize our operations.
We can also share your data with:
1. Vendors, consultants and business partners who help us to carry out work on our behalf.
2. Competent authorities, we may disclose personal data so far as reasonably necessary: if we think you have or may have breached our general terms and conditions or to enforce our rights or protect the public or where we have reasonable grounds for believing that a criminal act has been committed or if we are required to do so by law or appropriate authority.
3 With involved parties in the case of an actual or proposed (including negotiations) sale or merger or business combination involving of all or the relevant part of our business.
4 Other services users (or groups of users) or public, but only the content you provide on such a forum.
5. In aggregated and anonymized form, which cannot be used to identify person.
Where we process your personal data
Your personal data may be stored, used and otherwise processed within Poland and Belgium, and/or any other countries of the European Economic Area (EEA).
We may also store, use or otherwise process personal data outside the EEA. We will always take steps to ensure that any international transfer of information is carefully managed to protect your rights and interests.
Personal data will not be transferred to a country outside the EEA unless:
1. the country to which it is transferred is one which the European Commission considers to provide an adequate level of data protection
2. or the personal data is transferred to a United States company who has entered into EU model clauses with Rydoo, on behalf of its clients where appropriate.
3. or service providers and other third parties to whom data is transferred undertake contractually to process data in accordance with our instructions and to maintain appropriate security to protect the personal data or we are obliged to provide the personal data to a government or public authority.
Rydoo uses social media and instant messaging platforms in several ways. We promote our services and products or services and products of our partners. We share information about our work and we gather feedback and marketing data. We also use social media and instant messaging platforms to support online usage of our services.
We are offering services through social media and instant messaging platforms. You can connect your account in the Rydoo system to your existing account on one of supported social media platforms and take advantage of this channel of communication with us. Our system will be able to send you some notifications and you will be able to perform actions, as you would do in our system. Any time you can disconnect accounts using our or native social media or instant messaging platform functionality.
You can also allow us to use some of the social media platform data, available on your profile like photo, email address or name.
On our pages and in our application we can place social media plugins (i.e. like or share buttons). If you will use it, some of the data will be shared with social media platform and it can be shared with larger audience according to your own social media privacy settings. We advise you to read also privacy policies of your social media platform.
Cookies and other tracking tools
What are cookies and how do they work?
Cookies are small bits of text that are downloaded to your computer or other device when you visit a website. Your browser sends these cookies back to the website every time you visit the site again, so it can recognise you and can then tailor what you see on the screen.
Cookies are used for different purposes. They allow you to be recognized as the same user across the pages of a website, between websites or when you use an app.
We try to give our visitors an advanced, user-friendly website and apps that adapt automatically to their needs and wishes. To achieve this, we use technical cookies to show you our website, to make them function correctly, to create your user account, to sign you in and to manage your bookings. These technical cookies are absolutely necessary for our website to function properly.
We use these cookies to gain insight into how our visitors use our website and apps. This means we can find out what works and what doesn’t, optimize and improve our websites or apps, understand the effectiveness of advertisements and communications, and ensure we continue to be interesting and relevant. The data we gather can include which web pages you have viewed, which referring/exit pages you have entered and left from, which platform type you have used, which emails you have opened and acted upon, and date and time stamp information.
It also means we can use details about how you’ve interacted with the site, such as the number of clicks you make on a given page, your mouse movements and scrolling activity, the search words you use and the text you enter into various fields. We make use of analytics cookies as part of our online advertising campaigns to learn how users interact with our website or apps after they have been shown an online advertisement. This may include advertisements on third-party websites.
We can use third-party cookies as well as our own to display personalized advertisements on our websites and on other websites. This is called “retargeting,” and it is based on browsing activities.
How you can control cookies.
To learn more about cookies and how to manage or delete them, simply visit allaboutcookies.org and the help section of your browser. In the settings for browsers such as Internet Explorer, Safari, Firefox or Chrome, you can set which cookies to accept and which to reject. Where you find these settings depends on which browser you use. Use the “Help” function in your browser to locate the settings you need.
If you choose not to accept certain technical and/or functional cookies, you may not be able to use some functions on our website. We currently do not support “Do Not Track” browser settings.
How long do we store data
Data retention schedule for our application users
|Data Category||Explanation||Retention period|
|PII||Name, login, title, email address, IDs assigned by the controller.||Account deactivation + 10 years|
|Contact data||Address (work and home), other addresses, telephone number (work and home).||Data deleted, account deactivated or requested to stop processing/delete data|
|Identification information assigned by government institutions||ID card number, passport number, drivers license number, license plate number, etc.||Data deleted, account deactivated or requested to stop processing/delete data|
|Electronic identification data||IP addresses, cookies, connection moments, etc.||Account deactivation + 10 years|
|Electronic localization data||Cell tower data, GPS data, etc.||Account deactivation or consent withdrawn|
|Special financial data|
|Financial transactions||Amounts paid and payable by the data subject, awarded credit lines, sureties, payment method, payment overview, deposits and other guarantees.||Moment of transaction related invoice payment recognized + 10 years|
|Personal details||Age, sex, date of birth, place of birth, nationality.||Data deleted, account deactivated or requested to stop processing/delete data|
|Travel details||Information regarding business travel habits and preferences||Data deleted, account deactivated or requested to stop processing/delete data|
|Leisure pursuits and interests|
|Leisure activities and interests||Hobbies, sports, other interests.||Data deleted, account deactivated or requested to stop processing/delete data|
|Memberships (other than professional, political, or in trade unions) – only if required to manage business travel or expenses||Memberships in loyalty programs, organizations, clubs, partnerships, unions, groups, etc. – if used for business travel management or expense management.||Account deactivation + 10 years|
|Travel data||Details regarding the goods and services provided to the data subject.||Moment of transaction related invoice payment recognized + 10 years|
|Business expense data||Details regarding the goods and services reported as expenses by the data subject.||Contract end|
|Application usage||Details regarding usage of the application by the data subject.||Account deactivation|
|Requests, complaints, incidents or accidents||Information regarding a request, accident, incident, or complaint in which the data subject is involved, the nature of the request, damage, involved persons, witnesses.||Closing the case + 10 years|
|Profession and employment|
|Current employment||Employer, title and role description, seniority, work location, specialization or company type, work modes and conditions.||Account deactivation + 10 years|
|Images||Camera recording, photographic recording, digital photos or scans of receipts uploaded, etc.||Data deleted, Contract end, Request to delete data / stop processing|
|Sound recordings||Phone recordings regarding requests or issues, etc.||Closing the case + 10 years|
|Electronic activity logs|
|Application and infrastructure logs||Logs of user actions and technical requests registered||Account deactivation|
|Users login logs||Recorded user login attempts||Account deactivation + 10 years|
Right of access
You can request access to your Personal data. You may also request rectification of inaccurate Personal data, or to have incomplete Personal data completed.
You can request any available information as to the source of the Personal data, and you may also request a copy of your Personal data being processed by us.
Right to be forgotten
Your right to be forgotten entitles you to request the erasure of your Personal data in cases where:
1. the data is no longer necessary;
2. you choose to withdraw your consent;
3. you object to the processing of your Personal data by automated means using technical specifications;
4. your Personal data has been unlawfully processed;
5. there is a legal obligation to erase your Personal data;
6. erasure is required to ensure compliance with applicable laws.
Right to restriction of processing
You may request that processing of your Personal data be restricted in the cases where:
1. you contest the accuracy of the Personal data;
2. we no longer need the Personal data, for the purposes of the processing;
3. you have objected to processing for legitimate reasons.
Right to data portability
You can request, where applicable, the portability of your Personal data that you have provided to us, in a structured, commonly used, and machine-readable format you have the right to transmit this data to another Controller without hindrance from us where:
1. the processing of your Personal data is based on consent or on a contract; and
2. the processing is carried out by automated means.
You can also request that your Personal data be transmitted to a third party of your choice (where technically feasible).
Right to object to processing for the purposes of direct marketing
You may object (i.e. exercise your right to “opt-out”) to the processing of your Personal data particularly in relation to profiling or to marketing communications. When we process your Personal data on the basis of your consent, you can withdraw your consent at any time.
Right not to be subject to automated decisions
You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect upon you or significantly affects you.
Right to lodge a complaint to the competent Supervisory Authority
If you have a privacy-related complaint against us, you should complete and submit the Complaint/Data Subjects’ Request Form or make your complaint by email or by letter in accordance with our Global Complaints/Requests Handling Policy. If you are dissatisfied with our response, you may then seek further recourse by contacting the relevant local Supervisory Authority or the local competent court. You may also contact our lead Supervisory Authority, the French Supervisory Authority (the “CNIL”, www.cnil.fr).
Rydoo’s GDPR Commitment
The European Union’s General Data Protection Regulation (also called the GDPR), the EU’s legal instrument to strengthen and unify data protection laws for all individuals within the European Union, has come into full effect on May 25th, 2018.
How is Rydoo dealing with GDPR?
Since GDPR was adopted back in April 2016, we haven’t stood still really. Only a couple of weeks later, a gap analysis was performed and a roadmap towards full compliance was drafted. This journey has now come to an end.
Here is a brief overview what we have been occupied within the past months and years:
- Thorough researching the areas of our business impacted by GDPR
- Updating our internal policies and procedures to reflect the GPDR requirements and implementing them step by step
- Reassessing our partnerships with third parties
- Creating awareness among our employees through training sessions
- Drafting and rewriting our Data Processing Agreement
- Appointing a Data Protection Officer
- Thoroughly testing all of our changes to verify and validate compliance with GDPR
Rydoo does not require the end user to fill in or upload any high security personal data, such as credit card number or pin code, social security, health insurance or driver license numbers on the platform. Even so, we want to do the utmost for your data to be sure it’s safe with us. Therefore, Rydoo is also working closely with different external attorneys and IT security experts on its approach, because we want to make sure every aspect is covered.
What is GDPR actually?
The General Data Protection Regulation, which replaces the 1995 Data Protection Directive, regulates the processing of personal data of individuals within the EU. Under GDPR, “personal data” is interpreted broadly and covers any information relating to an identified or identifiable individual (the so-called “data subject”).
The GDPR gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect from them. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
To give you an idea of some important changes that will come into effect when GDPR enters into force:
– More rights for individuals: The GDPR extends the rights for individuals in the European Union by granting them, amongst other things, the right to access their personal information and the right to be forgotten.
– Compliance obligations: The GDPR also requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on their processing activities and enter into written agreements with vendors.
– Data breach notification and security: The GDPR creates new obligations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
Rydoo uses carefully selected subprocessors (including third parties, as listed below), subcontractors and content delivery networks to assist it in providing the Rydoo Services as described in our Terms and Conditions.
What is a Subprocessor?
A subprocessor is a third party data processor engaged by Rydoo, including Rydoo’s sister companies, who has or potentially will have access to or process Client’s Data (which may contain Personal Data). In the following sections we will explain which subprocessors we use and what types of activities they perform. We also mention some of our sub-contractors who in principle do not get access to Personal Data but rarely and incidentally might do so. As a precaution, we have taken the necessary measures and safeguards to make sure that everyone’s personal data is properly taken care of such as signing Data Processing Agreements and EU Standard Contractual Clauses with them.
How do we choose a Subprocessor?
We have a careful selection process where we take into consideration the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or otherwise process Personal Data. We will not select any subprocessor that cannot guarantee to provide the very same level of Data Protection as Rydoo.
All of our sub-processors need to comply with equivalent obligations as those required from Rydoo (as a Data Processor) as set forth in Rydoo’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
- Only collect, process and use the types of personal data relating to the categories of data subjects for the purposes of providing the Rydoo Services under the Contract and for the specific purposes required in each case.
- In connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy, confidentiality and security, to the extent applicable, as established in Data Protection Laws.
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data.
- Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Rydoo is contractually committed to adhere to) and provide evidence of compliance with this obligation.
- Promptly inform Rydoo about any actual or potential security breach.
- Cooperate with Rydoo in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
What will happen if we engage a new SubProcessor:
Our Clients will be notified of any changes on this page. If the Client has a reasonable objection to any new or replacement Subprocessor, it shall notify Rydoo of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith.
If Rydoo is reasonably able to provide the Rydoo Services to the Client in accordance with the Main Agreement without using the sub-processor and decides in its discretion to do so, then the Client will have no further rights under this provision in respect of the proposed use of the sub-processor. If Rydoo requires use of the Subprocessor in its discretion, it shall seek to satisfy the Client as to the suitability of the Subprocessor or the documentation and protections in place between Rydoo and the Subprocessor in a period not exceeding ninety (90) days from the Cient’s notification of objections.
If the Client does not provide a timely objection to any new or replacement Subprocessor in accordance with this procedure, the Client will be deemed to have consented to the sub-processor and waived its right to object. Rydoo may use a new or replacement Subprocessor whilst the objection procedure in this section is in process.
Termination rights, as applicable and agreed, are set forth exclusively the Contract.
The following is an up-to-date list (as of the date of this policy) of the names and locations of Rydoo’s Subprocessors, subcontractors and content delivery networks:
|Sub-processor||Address||Type of assistance|
|Sentia NV (EU)||Skaldenstraat
121, 9042 Ghent, Belgium
|app data storage within the EU (ISO 27001 & ISO 9001)|
|Microsoft Corporation (Azure SQL databases – EU)||Microsoft Corporation
1 Microsoft Way
Redmond, WA 98052-6399
|app data storage within the EU (ISO 27001 & ISO 9001)|
|The Rocket Science Group LLC d/b/a MailChimp (USA)||675 Ponce de Leon Ave NE
Atlanta, GA 30308 USA
|E-mailing platform used for sending out reminders to approvers/controllers|
|Godspeed IT Services (India)||143/1 Shri Ram Nivas
Parvati Gaon, Pune-411009
|Quality checks of images scanned through OCR sofware|
|Cloudflare Inc. (Global CDN)||101 Townsend St, San Francisco, CA 94107, USA||Content delivery network|
|Infrrd Inc. (USA)||Suite 360E, 2001 Gateway Place,
San Jose, CA 95110, USA
|Automatic reading of scanned receipts|
|Intercom R&D Unlimited Company (Ireland)||2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Republic of Ireland||Product support platform|
|Rydoo Sp. z o.o||al. Jerozolimskie 180, 02-486 Warsaw, Poland||Customer platform support|
|COIG S.A.||ul. Mikołowska 100, 40-065 Katowice, Poland||App data storage (ISO 27001 & ISO 9001)|
|Beyond Sp z o.o.||ul. Dziadoszańska 9, 61-248 Poznan, Poland||App data storage (ISO 27001)|
|Lyra Network (Payzen)||Rue de l’innovation 109, 31670 Labège, France||Credit card operations|
|PCI Booking Ltd.||Unit 7 Coolport, Coolmine Industrial Estate, Blanchardstown, Dublin, D15 HC91, Republic of Ireland||PCI DSS Shield|
|SendinBlue||Rue d’amsterdam 55, 75008, Paris, France||Mailing Service|
|Systell||St. Pultuska 10, 61-052 Poznan, Poland||Call center system|