AndesTransit GDPR Center
Understand how AndesTransit maps to the principial GDPR rights for EU citizens
DATA SUBJECT RIGHT | SUMMARY | ANDES TRANSIT |
---|---|---|
Data Subject Access Request | The right to be informed about your all your data subject rights, and whether your personal data is being processed and how it is being processed. | Your data is processed during the transaction of purchase of an AndesTransit ticket or product on our site. This GDPR Center, indeed this very table, serves to comply with the requirement to inform you of all your data subject rights. |
Right to Object | The right to prohibit certain data processing operations where you have the compelling legitimate grounds, including for direct marketing purposes. | As data processing is required for our legal basis to perform a contract (e.g., issue a ticket, register you on a bus, send you a product for digital download), there are no compelling legitimate grounds to object, once the purchase has been transacted and fulfilled by the delivery of the ticket or service. However, you can object to using your data for our marketing communications by simply replying to it or unsubscribing and you will be removed from the mailing list. You can also object to the re-use of your data for potential purchases by simply using our Data Deletion form or Data Portability form, whichever may apply best for your situation. |
Right to Rectification or Erasure | The right to correct or erase data to ensure that it is processed in compliance with data protection principles | This right is limited to bonafide reasons that the data you provided is not in compliance with GDPR data protection principles, and it can be corrected at no cost as long as you provide us the corrected information before your ticket or product is delivered. Please be advised, however, that this right does not extend to correcting data after the ticket or product is delivered, at least without additional costs to you. At minimum, a fee will be charged for changing data after a ticket or product is issued, but in most cases, a ticket is both non-refundable and non-changeable once issued, and the only way to correct the data is to purchase a new ticket without the ability to refund or cancel the first one. Please see our Ticket Policies for more details. |
Right to Restriction | The right to restrict processing of data because the data is not compliant with data protection principles. | Similar to the reasoning above for Rectification or Erasure, your request for restriction can only be accepted for two circumstances: 1) before (not after) the ticket or product has been issued or sent to you; and 2) to prevent re-use of your data for marketing purposes or for potential purchases in the future. If either of these circumstances are valid in your situation, you can use the Data Deletion form on this page to make your request, and simply check the box Restriction Only, which will not delete your data but will remove you from marketing lists and prevent us from re-using it for potential purchases in the future. |
Right to Erasure ("Right to be Forgotten") | The right to seek erasure of personal data if it is no longer necessary. | We offer a Data Deletion form on this page for making requests for data erasure, but erasure requests are subject to a 3.5 year retention requirement before the deletion can take effect, and data subjects must provide authenticating identification related to their data to prevent fraudulent uses. |
Right to Data Portability | The right to request personal data held by the data controller be provided to the data subject or to another data controller. | We offer a Data Portability form on this page for making requests of this nature. Be advised that we believe this is high-risk procedure and we have limited power to ensure your data is secure during the process of transferring it to you or to another controller. We therefore will need to require authenticating information about you, the data subject, and establish a data transfer protocol with you or the second data controller, in order to safely transfer the data, a process that will take approximately 30 days. |
FREQUENTLY ASKED QUESTIONS
How are you securing my data
What is the legal basis for your processing my personal data?
How long do you keep my personal data on file?
What is your incident response time in case of a data breach?
What personal data of mine is stored by AndesTransit (and what personal data is not)?
- Cardholder name
- email addresses (1 for billing and 1 for passenger)
- unique customer identifier
- order ID
- date/time/amount of transaction
- IP location from where order was made
- Billing address
- Trip data (date and time of trip, origin, destination, carrier)
- Passport data (name, country, date of birth)
- Contact phone number
- Gender
We do NOT collect or store any of the following data, as these are only known to the data processor (e.g., Stripe, Square, PayPal, AliPay) and we are simply passed verification they have been accepted and passed as valid:
- Bank account details
- Payment Card number
- Payment Card expiration date
- CVC Code
Do you use my personal data for any profiling?
We use only human intervention, and no machine-made profiling to make decisions about you and your purchase.
DATA DELETION FORM
Use this form to request an erasure of your data, subject to the following conditions:
- Statutory warranties require payment related data to be stored for a period of 3.5 years, at which time that data is automatically deleted from our system. If this standard procedure is fine with you, there is no need to fill out this form.
- This form can only be used by citizens of the EU who provide information that matches records in our system. Non-EU citizens using this form will not receive any response.
- Deletion is limited to data AndesTransit stores related to your purchases and subscriptions. It does not include sensitive data collected by the third-party payment data processor (e.g., PayPal, Stripe) such as your credit card number, CVC code, and banking information, but we will provide contact info for the processor related to your order so you can communicate with them separately if desired.
DATA PORTABILITY FORM
Use this form to request a downloadable CSV file of data stored on AndesTransit, subject to the following conditions:
- Statutory warranties require payment related data to be stored for a period of 3.5 years, at which time that data is automatically deleted from our system. If this standard procedure is fine with you, there is no need to fill out this form.
- This form can only be used by citizens of the EU who provide information that matches records in our system. Non-EU citizens using this form will not receive any response.
- Be advised that downloading and transfering data involves a high degree of risk, even with the secure tools we provide. For this reason, we reserve the right to ask for additional information to prove your identity if we suspect a request might be fraudulent.
MY DATA INQUIRY FORM
Use this form to simply request a report of the categories of data AndesTransit stores about you and the reasons why, subject to the following conditions:
- You have reason to believe AndesTransit has any data about you, most likely from a previous purchase made through our site.
- This form can only be used by citizens of the EU who provide information that matches records in our system. Non-EU citizens using this form will not receive any response.
- For security reasons, we only can confirm storage of your data in general terms and will not provide over email specific sensitive data like card numbers, CVC codes, or other personally identifying information.
DPO FORM
Use this form to send a message to the Data Protection Officer for any relevant matter of data protection or privacy info that is not covered in the other sections of this page.
- Note that any messages sent that are not related to GDPR or Privacy Info policies will not receive a reply.