• GDPR Rights
  • FAQ
  • Data Deletion Request
  • Data Portability Request
  • My Data Inquiry
GDPR Rights
Understand how AndesTransit maps to the principial GDPR rights for EU citizens
DATA SUBJECT RIGHT SUMMARY ANDES TRANSIT
Data Subject Access Request The right to be informed about your all your data subject rights, and whether your personal data is being processed and how it is being processed. Your data is processed during the transaction of purchase of an AndesTransit ticket or product on our site. This GDPR Center, indeed this very table, serves to comply with the requirement to inform you of all your data subject rights.
Right to Object The right to prohibit certain data processing operations where you have the compelling legitimate grounds, including for direct marketing purposes. As data processing is required for our legal basis to perform a contract (e.g., issue a ticket, register you on a bus, send you a product for digital download), there are no compelling legitimate grounds to object, once the purchase has been transacted and fulfilled by the delivery of the ticket or service. However, you can object to using your data for our marketing communications by simply replying to it or unsubscribing and you will be removed from the mailing list. You can also object to the re-use of your data for potential purchases by simply using our Data Deletion form or Data Portability form, whichever may apply best for your situation.
Right to Rectification or Erasure The right to correct or erase data to ensure that it is processed in compliance with data protection principles This right is limited to bonafide reasons that the data you provided is not in compliance with GDPR data protection principles, and it can be corrected at no cost as long as you provide us the corrected information before your ticket or product is delivered. Please be advised, however, that this right does not extend to correcting data after the ticket or product is delivered, at least without additional costs to you. At minimum, a fee will be charged for changing data after a ticket or product is issued, but in most cases, a ticket is both non-refundable and non-changeable once issued, and the only way to correct the data is to purchase a new ticket without the ability to refund or cancel the first one. Please see our Ticket Policies for more details.
Right to Restriction The right to restrict processing of data because the data is not compliant with data protection principles. Similar to the reasoning above for Rectification or Erasure, your request for restriction can only be accepted for two circumstances: 1) before (not after) the ticket or product has been issued or sent to you; and 2) to prevent re-use of your data for marketing purposes or for potential purchases in the future. If either of these circumstances are valid in your situation, you can use the Data Deletion form on this page to make your request, and simply check the box Restriction Only, which will not delete your data but will remove you from marketing lists and prevent us from re-using it for potential purchases in the future.
Right to Erasure ("Right to be Forgotten") The right to seek erasure of personal data if it is no longer necessary. We offer a Data Deletion form on this page for making requests for data erasure, but erasure requests are subject to a 3.5 year retention requirement before the deletion can take effect, and data subjects must provide authenticating identification related to their data to prevent fraudulent uses.
Right to Data Portability The right to request personal data held by the data controller be provided to the data subject or to another data controller. We offer a Data Portability form on this page for making requests of this nature. Be advised that we believe this is high-risk procedure and we have limited power to ensure your data is secure during the process of transferring it to you or to another controller. We therefore will need to require authenticating information about you, the data subject, and establish a data transfer protocol with you or the second data controller, in order to safely transfer the data, a process that will take approximately 30 days.

FREQUENTLY ASKED QUESTIONS

How are you securing my data

Your data is secured in an encrypted database on an offsite server in an SAS70 cerfified data center with biometric verification required for entry. Order forms and SQL connections use SSL encryption. The host of the server is PCI compliant, performs nightly backups, and updates servers and their software regularly with security patches, has redundant IPI connection and firewalls, and only logged and authorized system administrators can access the servers.

What is the legal basis for your processing my personal data?

The GDPR category for our legal basis (Article 6 (1)) is that of NECESSARY FOR THE PERFORMANCE OF A CONTRACT, meaning your providing us your data is necessary for the fulfillment of your purchased ticket or product.

How long do you keep my personal data on file?

3.5 years, the maximum time required by some credit card brands for any dispute resolutions or chargeback investigations. After this time, your data is automitically deleted, but you can still use our Data Deletion form on this page to request for certain that we delete it by this time.

What is your incident response time in case of a data breach?

In the unfortunate case we are informed of any breach of our servers that contain your personal data, we will respond within 72 hours by notifying you of the breach, taking steps to re-secure the server, giving you the additional option to delete the data even after it has been re-secured.

What personal data of mine is stored by AndesTransit (and what personal data is not)?

AndesTransit collects and stores only a portion of your personal data in order to process a transaction, namely:

  • Cardholder name
  • email addresses (1 for billing and 1 for passenger)
  • unique customer identifier
  • order ID
  • date/time/amount of transaction
  • IP location from where order was made
  • Billing address
  • Trip data (date and time of trip, origin, destination, carrier)
  • Passport data (name, country, date of birth)
  • Contact phone number
  • Gender


We do NOT collect or store any of the following data, as these are only known to the data processor (e.g., Stripe, Square, PayPal, AliPay) and we are simply passed verification they have been accepted and passed as valid:

  • Bank account details
  • Payment Card number
  • Payment Card expiration date
  • CVC Code

Do you use my personal data for any profiling?

Yes, but only for internal purposes like annual reports, and only reported in generalities, not about you in particular or in any way that can be traced to your particular identity.

We use only human intervention, and no machine-made profiling to make decisions about you and your purchase.
Provide your Authentication Information in the fields below

DATA DELETION FORM


Use this form to request an erasure of your data, subject to the following conditions:

  • Statutory warranties require payment related data to be stored for a period of 3.5 years, at which time that data is automatically deleted from our system. If this standard procedure is fine with you, there is no need to fill out this form.
  • This form can only be used by citizens of the EU who provide information that matches records in our system. Non-EU citizens using this form will not receive any response.
  • Deletion is limited to data AndesTransit stores related to your purchases and subscriptions. It does not include sensitive data collected by the third-party payment data processor (e.g., PayPal, Stripe) such as your credit card number, CVC code, and banking information, but we will provide contact info for the processor related to your order so you can communicate with them separately if desired.

Provide your Authentication Information in the fields below

DATA PORTABILITY FORM


Use this form to request a downloadable CSV file of data stored on AndesTransit, subject to the following conditions:

  • Statutory warranties require payment related data to be stored for a period of 3.5 years, at which time that data is automatically deleted from our system. If this standard procedure is fine with you, there is no need to fill out this form.
  • This form can only be used by citizens of the EU who provide information that matches records in our system. Non-EU citizens using this form will not receive any response.
  • Be advised that downloading and transfering data involves a high degree of risk, even with the secure tools we provide. For this reason, we reserve the right to ask for additional information to prove your identity if we suspect a request might be fraudulent.

Provide your Authentication Information in the fields below

MY DATA INQUIRY FORM


Use this form to simply request a report of the categories of data AndesTransit stores about you and the reasons why, subject to the following conditions:

  • You have reason to believe AndesTransit has any data about you, most likely from a previous purchase made through our site.
  • This form can only be used by citizens of the EU who provide information that matches records in our system. Non-EU citizens using this form will not receive any response.
  • For security reasons, we only can confirm storage of your data in general terms and will not provide over email specific sensitive data like card numbers, CVC codes, or other personally identifying information.