Prontobus SRL ("Prontobus"), as Data Controller, informs you pursuant to art. 13 D.Lgs. 196/2003 ("Privacy Code") and 13 European Privacy Regulation n. 679/2016 ("GDPR") that your data will be processed as follows.
1. Object of the treatment
Personal data means all information relating to the user that allows us to identify him, such as the name, contact details, booking reference number, payment details and information on his access to our website. These data can be collected through the website http://www.prontobusitalia.it ("Site") and the Android App and iOS Prontobusitalia ("App").
Below what data can be collected on direct insertion of the user:
When you create your account on the Site or on the App, we ask you to provide us with your personal data such as Name, Surname, Date of birth, Email Address, Telephone Number, User Name and Password
Your travel information, and those of people traveling with you, when you make an online or telephone booking. This information includes Name, Surname, Email Address and Telephone Number
When you make a reservation, and choose to use a discounted rate reserved only for card holders or special requirements, we may ask you to prove to meet the right to the discount by entering for example the number of the card in question (for example, university matriculation number for the students)
If you choose an electronic payment, you must enter the billing information of the person making the payment. These data include Name, Surname, Billing address and VAT number (only for companies)
In general, communications exchanged with us or addressed to us via letters, e-mails and social media (Facebook)
Instead, these information are automatically collected by Prontobus:
If you decide to register, both on the Site and on the App, starting from your Facebook account, we can take from the latter, only on your explicit consent, information relating to Name, Surname, Email Address and Date of Birth
When you log in to the Site, we store the IP address from which you are contacting us
2. Purpose of the processing
Provide online ticketing services requested by you. This also includes the subsequent management of the reservation (for example, modification and cancellation)
We may use the contact details (Email Address and Telephone Number) provided during booking to contact you in case there were any changes or communications relating to your trip. These communications are purely technical and not marketing, for this reason they are not disabled
We use the billing address, mandatory only with electronic payments, to identify / prevent fraudulent activity and for accounting reasons
Security, administrative purposes, crime prevention / detection: we can also communicate user data to government authorities or bodies in compliance with legal requirements
Communications with customer service: we use user data to manage our support as our customer and to improve our services and improve the user experience with us
Prevention of unauthorized access. We store the IP address from which you access to prevent fraudulent access to our applications and to ensure maximum security of your data
Marketing, we use your Email Address to send you promotional and periodic communications related to Prontobus initiatives. Consent is optional, can be removed at any time. Communications are sent directly from Prontobus and your data is not shared with anyone
The consent to the processing of data for the purposes of points a, b, c, d, e, f is mandatory to register on the site and to take advantage of online ticketing services. The partial consent or not granted, does not allow Prontobus to provide the services provided. Consent to point g is optional.
3. Age requirements
Only users who are 16 years of age can register on the site and use online ticketing services. For users with a lower age, consent from parents or legal guardians is required.
4. Processing methods and retention time
The processing of your personal data is carried out by means of the operations indicated in art. 4 of the Privacy Code and art. 4 n. 2) GDPR and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data are processed either on paper or electronic and / or automated, using the IT services provided by AWS (Amazon Web Services) and located in Ireland (EU).
The data are kept for the time strictly necessary for the management of the purposes for which the data are collected in compliance with current regulations and legal obligations. In any case, Prontobus practices rules that prevent the retention of data indefinitely and therefore limits the storage time in compliance with the principle of minimization of data processing.
The Owner has taken a variety of security measures to protect your data against the risk of loss, misuse or alteration. In particular: it has adopted the measures pursuant to art. 32-34 of the Privacy Code and art. 32 GDPR.
In particular, Prontobus uses these two technologies
all data stored on our servers are not stored on disks that are accessible in clear text. The "encrypting" operation is performed automatically by AWS, a provider of computerized hosting services, using AES standards
In order to guarantee the secure transmission of personal data we use the SSL encryption protocol. All personal data (name, address etc.) are encrypted and transmitted on the Internet in a secure manner. It is possible to recognize the secure zones of the site by the presence of the special icon (closed lock) in the lower bar of the browser window.
7. Social plugin
On our website the so-called social plugins of the social network Facebook are used, managed by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. The plugins are marked with the Facebook logo. By consulting the notes on the processing of personal data on Facebook at http://www.facebook.com/policy.php: you can learn the purpose and the extent of data collection, further processing and use of data from part of Facebook, as well as their rights in this regard and the possibilities of setting for the protection of their privacy.
8. Access to data
Your data will be accessible, for the sole purposes of point 2, from:
employees and collaborators of Prontobus, in their capacity as persons in charge and / or internal managers of the processing and / or system administrators
to third party companies or other subjects that carry out activities on behalf of the Owner, in their capacity as external data controllers.
9. Data communication
Your data will never be disclosed to third-party companies, for any marketing, profiling, research or similar purposes. We will only share your information in one of the following cases.
Security and administrative purposes
Without your express consent (pursuant to Article 24 letter a), b), d) Privacy Code and art. 6 lett. b) and c) GDPR), the Data Controller may communicate your data for the purposes referred to in art. 2.A) to Supervisory Bodies, Judicial Authorities and to all the other subjects to whom the communication is mandatory by law for the accomplishment of said purposes. Your data will not be disclosed.
10. Data transfer
The management and storage of personal data will take place within the European Union, on servers located in Ireland, for the exclusive use of the Owner and owned by AWS.
11. Rights of the interested party
In your capacity as interested parties, you have the rights set forth in art. 7 of the Privacy Code and art. 15 GDPR and precisely the rights of:
obtain confirmation of the existence or not of personal data concerning you, even if not yet registered, and their communication in an intelligible form
obtain the indication: a) of the origin of personal data; b) of the purposes and methods of the processing; c) of the logic applied in case of treatment carried out with the aid of electronic instruments; d) of the identification details of the owner, the managers and the designated representative pursuant to art. 5, paragraph 2 of the Privacy Code and art. 3, paragraph 1, GDPR; e) of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the territory of the State, managers or agents
obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case where such fulfillment is it proves impossible or involves a use of means manifestly disproportionate to the protected right
to object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of the collection; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and / or through traditional marketing methods by telephone and / or paper mail. It should be noted that the right of opposition of the interested party, set out in point b) above, for direct marketing purposes through automated methods extends to traditional ones and that in any case the possibility remains for the data subject to exercise the right to object even only partially. Therefore, the interested party can decide to receive only communications using traditional methods or only automated communications or none of the two types of communication.
Where applicable, you also have the rights referred to in Articles 16-21 GDPR (Right of rectification, right to be forgotten, right of limitation of treatment, right to data portability, right of opposition), as well as the right of complaint to the Guarantor Authority.
12. How to exercise rights
13. Changes to the Privacy Notice
14. Holder and manager of the processing