If you need to delete your user account and data in the Svipper app, you can contact us here.
1 Introduction
The Troms County Authority is responsible for planning, organising, purchasing and marketing public mobility and transport services in Troms County. The Troms County Authority delivers these services through the Svipper brand. The mobility department at the Troms County Authority is responsible for the operation of all products and services linked to the county authority’s mobility offer. Through the Svipper brand, the Troms County Authority also delivers various services for travel information and buying tickets, such as the Svipper app and the website svipper.no. In addition to these digital services, passengers may buy tickets through an on-board sales system on the various means of transport.
2 About the Privacy policy
This privacy policy explains how the Troms County Authority collects and processes personal data about you as a customer and user of the public transport and mobility offer in the e-ticketing system. The term personal data means all information and assessments that may be linked to you as an individual. Typical examples of personal data are your name, address, phone number, e-mail address and national identity number. IP addresses are also defined as personal data.
This privacy policy complies with the rules in the Personal Data Act and the General Data Protection Regulation (GDPR), as well as the industry standard for the processing of personal data in connection with e-ticketing (hereafter called the “industry standard”).
This privacy policy contains information you as a customer are entitled to pursuant to Articles 12-14 of GDPR, and general information about how the Troms County Authority processes your personal data.
Moreover, you will find information about topics such as how to gain access to personal data that the Troms County Authority has about you, and how to proceed if you want us to rectify or erase the information.
This privacy policy and terms will be updated from time to time, including when services are extended or changed. If any of the services change to the extent that further processing of your personal data requires your consent, you will be notified of this.
3 Processing of personal data for the following specific services
3.1 App and webshop
When you create a user profile in the app or webshop, your information will be stored in a user profile, which may only be accessed by you and our Svipper Customer Service centre. You can change this information yourself or receive help from the Svipper customer service centre to do so. In your customer profile, you will be able to find all your tickets and all your ticket purchases for at least one year after they expire, provided you do not delete the profile.
If you choose to delete your customer profile, a request to delete your profile will be registered. Your customer profile will then be deleted if there are no activities to be considered, such as valid ticket products. Once your customer profile has been erased, we cannot recreate it and it is then not possible to retrieve your purchase history afterwards.
4 General information about processing of personal data by the Troms County Authority
4.1 Data controller
The Troms County Authority, represented by the CEO, has the overall responsibility for the processing of your personal data, and is therefore defined as the data controller pursuant to the provisions of the Personal Data Act. As the data controller, the Troms County Authority will ensure that your personal data is always processed in lines with the provisions of the Personal Data Act and other applicable regulations.
4.2 We process the following general information concerning you in the e-ticketing system
Sales documents: All sales documents are stored pursuant to the provisions of the Norwegian Bookkeeping Act. The travel information related to your ticket purchases will only be accessed as personal data when this is initiated by the data subject, e.g. in case of a complaint or other enquiries that necessitate taking a closer look at all details connected to a specified purchase.
Information about method of payment: To be able to pay using a payment card, an interface with the payment service enables the registration of a card in the e-ticketing system without saving all the card details in the app. Even if you choose to save one or more payment cards in your profile, your full card details will only be accessible by the payment service. Only the first six and the last four digits of your card number, along with the expiration date, will be saved in connection to the app. This information is required to enable you to recognise your registered card, to generate necessary details that are required for a receipt, and to be able to efficiently process any claim of reimbursement.
Technical information: When you use the e-ticketing system, your IP-address, time of request, information about browser or phone, and version number and mobile platform for the app, including the chosen language, will be logged in an application log. This information is required to enable the service to function on the given platform/phone and will be logged for the service to function as intentioned. This also provides us with necessary information to resolve a problem that may occur in the event of a malfunctioning of the system. We do not use any form of analytics (e.g. Google Analytics) that collects data about or logs patterns of identifiable users. The only related functions are crash reports via Bugsnag that provide fully anonymized crash reports, which are an aid for quickly resolving errors if the app crashes.
Travel data: By accepting that the app can access to the phone’s GPS, position data will only be used locally on the phone. No position data will be logged in the app and transmitted to our backend. The only travel data that will be processed is the information about the chosen departure location/zone and destination/zone that is necessary to document ticket purchases and calculate the correct fare. We also use location data to be able to make suggestions about the best itineraries for your journey. The travel data that is connected to your ticket purchases will be stored and anonymized along with other data documenting the sales.
4.3 Sources of personal data
You enter or generate all the personal data that are processed in connection with the e-ticketing system yourself. No information is collected from external sources or services. You can access, rectify or erase the other personal data you have provided via the settings in the app.
4.4 Access to personal data
Personal data will only be accessible to authorized personnel if required in an official capacity at the Troms County Authority and our subcontractors, including ticket inspection companies, payment service providers and operators.
In some cases, the Troms County Authority may disclose personal data to the Police or other public authorities. However, this requires a specific legal basis or a court order. In addition to this, the Troms County Authority will disclose personal data to the Travel Complaint Handling Body (Transportklagenemnda) if the customer appeals the rejection of a travel guarantee claim or complaint about a fine after consideration by the Troms County Authority.
No data will be disclosed to external third parties, neither in Norway nor abroad, that are not mentioned in this Privacy policy.
4.5 Purpose of processing personal data
The overall purpose of the Troms County Authority’s processing of various personal data connected to the use of the e-ticketing system is to be able to provide reliable and efficient travel products to our customers in connection with mobility and public transport services. Furthermore, the Troms County Authority wishes to create the conditions for efficient customer service as well as enabling ticket inspectors to verify valid tickets.
Use of the e-ticketing system is optional. If you choose not to use this system, you may buy tickets in alternative ways, such as via the webshop, at the customer service centre, on board the means of transport, by SMS, from sales outlets or combined ticket vending machines in Troms.
Information used for statistical purposes is anonymized and cannot be traced to you as a person. Furthermore, statistics are used to improve and further develop our services for all our customers. Examples of statistics providing useful information include the number of passengers travelling between specific zones, the number of tickets sold in each category and the number of tickets bought on each mobile platform (Android or iOS). The Troms County Authority collects information from the ticket purchases made via the e-ticketing system.
4.6 Lawfulness of processing
The Troms County Authority’s processing of personal data is based on an agreement you entered into with us when you registered a customer profile in the e-ticketing system. The Troms County Authority will save these data for as long as you maintain a customer profile, so you can buy a new travel product at any time. The lawfulness of processing is pursuant to point (b) of Article 6 (1) of GDPR, which permits processing when necessary to fulfil a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into an agreement.
Processing for statistical purposes is pursuant point (e) of Article 6 (1) of GDPR and Section 8 of the Norwegian Personal Data Act because it is necessary for statistical purposes that are in the public interest.
4.7 Information security and secure storage of the personal data
The Troms County Authority complies with the requirements concerning information security as outlined in Chapter 2 of GDPR and the provisions of the industry standard.
The Troms County Authority may use travel data together with customer data if you have initiated this yourself. This may apply to a travel guarantee claim, complaint about a fine or another enquiry you have made.
The Troms County Authority will not use travel data together with customer data to produce statistics, during financial settlements with collaborating companies and usually not when troubleshooting.
4.8 Process for requesting access, rectification or erasure
If you wish to terminate your customer relationship and erase related information, you may do so by contacting our customer service centre.
The phone number for our contact centre is: +47 777 88 777 .
You have the right to access personal data stored about you and can demand the rectification of incorrect or incomplete information about yourself. You can also request that unnecessary information about you is erased.
If you want access to, or the rectification/erasure of, stored personal data concerning you, you must send a written request via the contact form or by e-mail.
If you wish to send a written request by mail, our postal address is:
Troms Fylkeskommune
Postboks 6600
9296 Tromsø
If you have specific questions about the Troms County Authority’s processing of your personal data and you cannot find an answer in this Privacy policy, Svipper’s customer service centre can help you to contact the Troms County Authority’s data protection officer.
The Troms County Authority will respond to your enquiry as soon as possible and within 30 days. We will ask you to confirm your identity or provide additional information before allowing you to claim your rights. We do this to ensure that we only grant access to your personal data to you and not to someone claiming to be you.
4.9 Other rights
You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. The Troms County Authority shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You also have the right to data portability, the right to have the personal data transmitted from one company to another pursuant to Article 20 of GDPR. You have the right to receive the personal data concerning you, which you have provided to the Troms County Authority, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided. This requires that the processing is based on consent pursuant point (a) of Article 6 (1), point (a) of Article 9 (2) or an agreement pursuant point (b) of Article 6 (1) of GDPR. The processing is carried out by automated means.
To exercise your rights, the process will be as described above in point 4.8
If you believe that our processing of personal data does not adhere to our description here or that we do not adhere to the data protection legislation in other ways, we ask us to contact us. You can also lodge a complaint with the Norwegian Data Protection Authority (DPA).
4.10 Use of data processors
The Troms County Authority may share your personal data with data processors. Data processors are subcontractors that process personal data on behalf of the Troms County Authority, cf. Section 2 of the Data Protection Act. This applies to suppliers of ticketing and other systems where it is natural for you as a customer to enter your personal data. This may be either in the form of a user profile connected to your journeys or when complaining about a fine or the rejection of a travel guarantee where the Troms County Authority must carry out case processing.
These data processors cannot use personal data for purposes other than to provide the service as agreed upon with the Troms County Authority in a data processing agreement. The Troms County Authority takes special precautions to ensure that our data processors act in accordance with such data processing agreements, this privacy policy and other Norwegian data protection legislation.
The Troms County Authority only makes use of data processors located in Norway, EU/EEA countries or countries that have sufficient data protection legislation.
5 Automatic registration of customer information when visiting our website
Like many websites, the Troms County Authority uses information capsules (cookies) and similar technologies on our website. As a result, certain types of data about you as our customer will be registered and stored automatically when you visit our website. These data are used to register and analyse traffic patterns on our website. The information is used to identify how visitors navigate on our websites, how much time they spend on the website, what services they use and where they are from.
We typically register data about which browser and operating system you use, and which domain or IP-address you are connected to. This information is used to generate statistics about the use of the website and will be deleted continuously. Such customer information is anonymous. the Troms County Authority does not store information that can reveal the customer’s identity.
You can read more about cookieshere.
6 Storage, duration and erasure
All data is stored in the backup system in accordance with the current legislation. Your personal data will not be stored longer than necessary to fulfil the communication purpose of the app. The Troms County Authority has implemented information security measures and internal routines to verify that no personal data goes astray or are used for purposes other than those described in this privacy statement.
The Troms County Authority, as data controller, and our data processors follow the principles for embedded privacy protection and privacy protection as a standard setting. This includes your personal data not being stored longer than necessary to fulfil the purpose of the service.
Profile information: Your profile information will be stored for as long as you are an active user of the e-ticketing system. All profile information connected to inactive users will be erased after three years. To be considered inactive, no purchase or other activity must be registered in the app from you or your sub-users. You may at any time request that your user profile be erased from the e-ticketing system. However, in such cases, you will need to register again if you wish to use the service later. Your phone number will be verified during the first log in on a new device. If you have entered other personal data in the app, you may edit this in your profile under Settings at any time.
Transaction history and sales documents: All documentation of sales will be stored for five years after the end of the financial year, in accordance with the accounting legislation, including the Bookkeeping Act and appurtenant regulation. The receipts of your last purchases will be accessible the app. In accordance with demands from the payment services, the Troms County Authority is obliged to provide you with access to the sales documents of all your purchases of services, with an expiration within the last 20 months, carried out by your user or connected to your account. After 20 months, the sales documents will be archived and anonymized in a such way that it will no longer be possible for you or someone accessing the e-ticketing system in an official capacity to extract this information connected to your user.
Technical information and app log: Various parts of the transaction log are stored for a sufficient time to ensure that the service functions as intended and that customers receive the service they are entitled to. As a standard, details in the app log will be anonymized after 104 days. In the event of complaints based on errors in the service, the storage time for the transaction log may be increased to cover a necessary timeframe to process the complaint.
7 Security
All communication between the service and the applications on the end users’ phones is encrypted. Access to the system on the web is encrypted. All internal data transfer between the various components of the system is encrypted. Access to extract data is possible solely through API, which encrypted and secured with passkeys. Access to data via the Troms County Authority’s interface is defined by role, personalised and events are logged to ensure traceability.
The administration interface for the service is designed with various levels of access to ensure that personnel who require access at the Troms County Authority will be granted access to the amount of information that is relevant to meet their needs.
Ring oss 777 88 777 eller benytt vårt kontaktskjema.
postmottak@tromsfylke.no.