We're hiring!

Ridango Privacy Policy

This privacy policy (hereinafter: the Privacy Policy) applies to the processing of personal data by Ridango AS (hereinafter: Ridango).

Please read this Privacy Policy carefully as it contains information about how Ridango processes your personal data and what your rights are as a data subject (hereinafter: the data subject/you).

The Privacy Policy describes:

  • the processing of the personal data of public transport users (in a situation where Ridango processes personal data on behalf of its own customers, i.e. where Ridango is the processor);
  • the processing of the personal data of the representatives of customers, partners or potential customers (where Ridango is the controller of the personal data).

This Privacy Policy does not regulate the processing of personal data in employment relationships. Ridango employees are informed about the processing of their personal data in the company’s internal documents. Read more about the processing of personal data of job applicants at Ridango here.

1. General provisions, contact and definitions

1.1. Accessibility of the Privacy Policy. This Privacy Policy is accessible to data subjects and other persons at the following website https://www.ridango.com/privacy-cookie-policy/. The Privacy Policy can also be found on the customer websites managed by Ridango in order to facilitate the provision of information on the processing of personal data to public transport users.

1.2 Amendment of Privacy Policy. Ridango has the right to amend the Privacy Policy at any time by informing the data subject of the amendments on the Ridango website and/or in another manner (e.g. by an information letter). Amendments will enter into force from their publication on the Ridango website, unless a different deadline has been set out in the amendments.

1.3 Controller. Ridango AS, registry code 11717474, address Järvevana tee 7B, 10112 Tallinn, email . Ridango is the controller for the processing described in the Privacy Policy, except for the processing described in Chapter 3. For the processing described in Chapter 3, Ridango is the processor and Ridango’s customer is the controller.

1.4 Contact. Data subjects can send their questions about data protection to the following email address: or to the physical address of Ridango provided in Section 3. Please write “Data protection” in the subject line of your message.

1.5 Supervisory authority. The supervisory authority that supervises data processing by Ridango is the Estonian Data Protection Inspectorate https://www.aki.ee/et.

1.6 Social media. On Ridango social media pages, personal data are processed by the provider of the respective platforms in accordance with the privacy policy of the respective platform. Ridango complies with this Privacy Policy when processing personal data. On social media, you have to keep in mind that social media platforms process personal data in accordance with their own terms and conditions, which you can read on the social media websites.

1.7 Data protection terms. The data protection terms have the same meaning as defined in the General Data Protection Regulation (2016/679) (GDPR).

1.8 External links. On its website, Ridango may refer to links that take you to websites managed by third parties. If you click on one of these links, you will leave the Ridango website and be redirected to the website of the respective organisation or company. Although there may be a connection between the websites of Ridango and the third party, Ridango has no control over the content of these websites or the processing of personal data. Each organisation is responsible for the processing of personal data on its own website. Before sharing personal data, we advise you to read the privacy policy of the relevant website.

2. Terms: 

2.1 Ridango/we – Ridango AS.

2.2 Service – Ridango provides public transport organisation and ticketing services to its customers on the basis of the contracts entered into with the customers.

2.3 Customer – local authority or public transport operator to which Ridango provides public transport management and ticketing services. The customer is the controller of the personal data. With regard to the processing set out in Chapter 3, Ridango processes personal data as the processor in the interest of and on behalf of the Customer and in accordance with the Customer’s instructions.

2.4 Public Transport (Service) User – a natural person who uses public transport or buys public transport tickets. The Public Transport User can access the Service through the Customer’s website or mobile application managed by Ridango, which makes it possible to manage the Public Transport User’s account and purchase public transport tickets. The Public Transport User can also access the Service at points of sale, through the public transport driver and the validator.

2.5 Public Transport User’s Account – Ridango manages an account-based system that aggregates the accounts of all Service users on behalf of its customers. A user account is the digital account of each user, which contains information about the user’s right to use public transport and ticket money.

2.6 Travel Card – a personalised or non-personalised electronic travel card (e.g. Ühiskaart, TallinnCard, student card or local government employee card) certifying the right to use public transport or the right to travel fare concessions. The Travel Card is valid in all Estonian cities, counties and on Elron trains (to validate your Elron day or monthly ticket and prove your right to a travel fare concession).

2.6.1 Personalised Travel Card – Public Transport Users have the right to personalise their travel card, i.e. to link it to their personal identification code. When the card is personalised, the Public Transport user automatically benefits from the applicable travel fare concession (e.g. a travel fare concession established by the local authority). Ridango regularly (every 30 days) makes queries to databases on behalf of its customers to make sure that the data on the travel fare concession indicated on the Public Transport User’s account is up to date. When a ticket is purchased, the Personalised Travel Card automatically allows the person to choose the cheapest public transport ticket when applying the travel fare concession. The Public Transport Users has the right to de-personalise their Travel Card at any time.

2.6.2 Non-personalised Travel Card – the Public Transport Users have the right to use a non-personalised public transport Travel Card to purchase public transport tickets and to prove their right to travel. In this case, the Travel Card is not linked to the Public Transport User’s personal identification code. The Non-personalised Travel Card does not allow the Public Transport User to benefit from the applicable travel fare concession, as there is no information about the user’s travel fare concessions on the user’s account (no regular queries are made to databases).

2.7 Ticket – a document on paper, card, mobile phone, bank card, QR or electronic format or any other form that proves the Public Transport User’s right to travel.

2.8 Validator – an electronic device at the doors of public transport vehicles on which the Public Transport User validates his or her right to travel by means of the Travel Card or purchases a ticket for public transport.

2.9 Application – a website or mobile application managed by Ridango on behalf of a customer, where a Public Transport User can purchase public transport tickets.

3. Processing of Personal data of Public Transport User

3.1 Local authorities or public transport operators offer different services to Public Transport Users (data subjects), which are related to the use of the Travel Card: e.g. using public transport, using the Park & Ride system, or using the travel fare concession linked to the Travel Card when buying an Elron train ticket.

3.2 Ridango is the data processor in the provision of the Service and the processing of personal data of Public Transport Users in connection therewith. Ridango’s customers, i.e. local authorities or public transport operators, are the controllers in the processing of personal data of the Public Transport Users.

3.3 The legal basis and the purpose of the processing of the personal data of a Public Transport User are always determined by the controller. Ridango processes the personal data of the Public Transport Users only on behalf of and under the instructions of the controller.

3.4.1 The controller determines the purposes and means of the processing of personal data. Ridango has different customers, and the legal bases, purposes, guidelines and exercise of the rights of data subjects may vary from customer to customer. Different controllers may use different legal bases, for example:

3.4.2 Compliance with a legal obligation (Art 6(1)(c) GDPR): the obligation of a local authority is to organise public transport in its administrative territory, including the granting of discounts (§ 13 of the Public Transport Act) and verification of the right to travel fare concessions (§ 32 (3) of the Public Transport Act); the obligation of the carrier to offer travel free of charge on domestic regular services (§ 34 of the Public Transport Act), the obligation to check the existence of a travel fare concession (§ 32 (1) 1) and 2) of the Public Transport Act); the obligation to grant a travel fare concession on regular services provided under a public service contract (§ 36 of the Public Transport Act) or the obligation to verify the existence of a travel fare concession when imposing a fine for travelling without a ticket (§ 85(1) of the Public Transport Act).

3.4.3 Performance of a contract (Art 6(1)(b) of the GDPR): verification of the right to travel and of the travel fare concessions is part of the sales contract between the carrier and the data subject.

3.4.4 Consent (Art. 6(1)(a) of the GDPR): only if the customer has given specific instructions for the processing of personal data based on the data subject’s consent.

3.5 The controller determines the purpose of personal data processing. Every controller also determines the purpose of the specific processing. As a rule, this is organising public transport in the local authority, granting the right to travel to the Public Transport User, checking whether there are any travel fare concessions and organising ticket sales.

3.6 Sources of personal data. Ridango receives the personal data of Public Transport Users on behalf of the controller:

3.6.1 directly from the Public Transport Users when personalising the travel card, when purchasing public transport tickets and when using the travel card (validation);

3.6.2 as a result of queries made to databases (the Population Register, the Estonian Education Information System, the Social Protection Information System, if the customer has instructed Ridango to do so, queries may also be made to other databases (e.g. the MySchool database);

3.6.3 applications and the management environment used to provide the Service.

3.7. Categories of personal data. Ridango collects and processes the following personal data of the Public Transport Users in order to provide services to its customers (only the data necessary for the performance of a specific activity will be processed, depending on the specific situation):

3.7.1 Information of the user of a non-personalised Travel Card: number of the Travel Card, card balance.

3.7.2 Information of the user of a personalised Travel Card: number of the Travel Card, name, personal identification code, age, email, number of the ID card, card balance, information on the travel fare concessions applicable to use Travel Card user as a result of queries to databases (hereinafter: the Databases).

a) code of the local authority of the place of residence from the Population Register (first name and surname, personal identification code, age, local authority code, information on identity document (for the verification of its validity) or error code);

b) information from the Estonian Education Information System on whether the person is a student (yes/no or error code);

c) information from the Social Protection Information System on whether the person is a pensioner (yes/no or error code).

3.7.3 Travel Card balance and transaction information: transaction and means of payment data when the Travel Card is topped up in the application (no transaction data are shown when the Travel Card is topped up at a point of sale), history of transactions made with the Travel Card.

3.7.4 Validation information: Travel Card validation time and route in the last seven days.

3.7.5 Customer service information: name, email, telephone number, data contained in the customer service assignment (may include the name or personal identification code of the natural person, Travel Card number), communication with customer service; the form for application for a public transport concession filled in by the Public Transport User and submitted through the customer service or to the representative of the local authority if necessary to obtain the support; other data on the use of the Service. Where applicable, if a representative of the Customer is involved in customer service, his or her name, email, position, telephone number.

3.7.6 Technical information: web analytics in the Google Analytics application (according to the user’s choice of cookies); logs of queries made to the application server; cookies for tracking data traffic in applications and how the Public Transport Users use the applications, including for collecting the IP addresses and browsing data of the Public Transport Users.

3.8 Below we describe the ways in which we process your personal data as a processor when you use the services of a local authority or public transport operator related to the use of a nationwide Travel Card; and the categories of personal data to which the processing relates. The basis for the processing operations listed below is provided by the controller (i.e. the customer of Ridango).

 

Data processing operation and category of personal data Description of how we process your personal data
Personalisation of the Travel Card

information of the user of a personalised Travel Card

 The personalisation of the Travel Card and making queries to the Databases listed above on behalf of Ridango’s customers allows the Public Transport User to benefit from the services of the public transport operator or local authority and the travel fare concessions applicable to him or her. The Travel Card can be personalised in the self-service section in the application or at the point of sale. The personalisation of a Travel Card makes it possible to link the card to a specific person and to the travel fare concession that applies to that person. A one-off query to the Databases is made after the Travel Card is personalised.

 
Re-personalisation of the Travel Card

information of the user of a personalised Travel Card

 If the Travel Card is lost or to apply the travel fare concessions of the new place of residence after your place of residence changes. In the event of the loss of the Travel Card, the tickets or money on the personalised card can be transferred to the new card. If you change your place of residence (move to another local authority and wish to start using their travel fare concessions), the changes based on your place of residence will take effect within 30 days of the last update of your card details at the latest if you use a personalised Travel Card. You can also de-personalise and then re-personalise your Travel Card to update your travel fare concessions. A one-off query to the Databases is made in the case of re-personalisation of the Travel Card.
De-personalisation of the Travel Card

information of the user of a Non-personalised Travel Card

 Each Travel Card user can depersonalise his or her Travel Card at any time to continue to use the same Travel Card without the associated travel fare concessions. A Non-personalised Travel Card is not linked to your personal identification code. After the card has been de-personalised, we will stop making queries to the Databases to update the data on the Travel Card. In order to do this, you must contact our customer service by email at or call our helpline +372 611 8000. The Non-personalised Travel Card is not linked to a specific person and can be shared, for example, with family members.

 
Regular updating of the data of a personalised Travel Card

information of the user of a Non-personalised Travel Card

 The data on all Personalised Travel Cards is automatically updated every 30 days to ensure that travel fare concessions and travel rights are up-to-date and correct. Queries are made more often, for example, when the data linked to a travel card change, when a new Travel Card is bought and personalised, when legislation changes, when the conditions or procedures of the travel fare concessions of local authorities change and in other such cases.

 
Stopping Personalised Travel Card queries to the Databases In the case of Personalised Travel Cards, we will stop making queries to the Databases if the Population Register does not provide a match for a particular person on five consecutive occasions (error code).

 
Ticket sales

information of the user of a non-personalised or personalised Travel Card

information on the balance of money on the card and transactions

 Public Transport Users can buy tickets onto their Travel Cards or top them up at points of sale (by presenting the Travel Card or giving the number of the Travel Card to the seller), in the application or with a mobile payment on the validator.
Verification of the right to travel

information of the user of a non-personalised or personalised Travel Card

validation information

information on the balance of money on the card and transactions

 The local authority organises the verification of the right to travel of the Public Transport Users on its territory. During the verification of the right to travel, it is checked whether there is a valid ticket or right to travel on the Travel Card, and the valid travel fare concessions on the Travel Card are also verified. No additional query to databases is made when the right to travel is verified. If necessary, the data concerning the resolution of disputes concerning the right to travel are processed when the right to travel is verified.

 
Customer service and helpline

Resolution of the queries of data subjects

all personal data may be processed

 If you have any questions about the Service, please email them to or call our helpline on +372 611 8000. We retain customer service information to verify communications, transactions or other issues related to the Service (phone calls, emails saved by customer support) and to resolve disputes if necessary.
Access of the Public Transport User to the management environment

information of the user of a non-personalised or personalised Travel Card

information on the balance of money on the card and transactions

 

 Public Transport Users can manage the information concerning their Travel Cards (including personalise and de-personalise), buy tickets or top up their Travel Cards and access their ticket details from the administration environment, for example on the website www.pilet.ee.
Customer’s access to the management environment

all personal data may be processed

 Providing the different services of Ridango (including ticket sales, fleet management and transport monitoring) to the customers of Ridango through a common administration environment. Ridango is also the processor when the data of customer representatives are processed even if the processing of the data of the customer’s employees/personal data is associated with the services provided to the customer as a processor (transport monitoring).
Providing the Customer with an overview of the use of the Service

Generally not personalised, but all personal data may be processed in accordance with the customer’s instructions

 The specific reporting data are specified in the contracts between Ridango and the Ridango customer (customer contract/procurement documents), or the customer as the controller takes the reports directly from the administration environment.
Maintenance of the Customer’s IT systems; development work on behalf of the Customer

all personal data may be processed

 We maintain IT systems and, if necessary, carry out IT development work at the request of our Customers, in accordance with the agreements made with the Customers.

3.9 Data retention. We retain data in accordance with the general data retention deadlines set by our customers, see Chapter 6 for more information.

4. Ridango Privacy Policy for Representatives of Customers

4.1 Ridango is the controller of personal data when the personal data of the representatives customers, partners or potential customers, employees or beneficial owners (hereinafter collectively: Customer Representatives) are processed, except for certain functionalities of the Service where the processing of the data of the customer’s employees/personal data is associated with the services provided to the customer as a processor (transport monitoring).

4.2 When processing personal data, Ridango complies with applicable legislation and takes the necessary technical and organisational measures to ensure the security of personal data, to prevent unlawful processing, access by unauthorised persons and disclosure.

4.3 Ridango is a responsible data processor and is able to demonstrate compliance with data protection requirements. When processing personal data, Ridango adheres to and uses partners who comply with the principles for the processing of personal data set out in the GDPR. The principles help ensure that the processing of personal data is: lawful, fair and transparent; limited with a purpose; minimal; carried out with the right data; complies with retention deadlines; and ensures reliability and confidentiality of personal data.

4.4 Sources of personal data. Ridango receives personal data:

4.4.1 directly from Customers and their representatives in connection with the provision of the Service;

4.4.2 applications or customer service in connection with resolving the questions or disputes that arise in the course of providing the Service;

4.5 Categories of personal data.

4.5.1 Contact details: name, personal identification code, date of birth, telephone number, email address, language of communication.

4.5.2 Communication information: in particular, information relating to the use of the Service and disclosed in communications or correspondence.

4.5.3 Accounting information: details of payments and claims collected in the course of accounting – name, contact, email, address, name of the representative in case of a legal person.

4.5.4 Technical information: web analytics in the Google Analytics application (according to the user’s choice of cookies); logs of queries made to the application server; cookies for tracking data traffic in applications and how the Customer Representatives use the applications, including for collecting the IP addresses and browsing data of the Customer Representatives.

4.5.5 Legal basis and purposes of the processing of personal data. Ridango processes personal data on the following basis and in the following cases:

4.6 Ridango processes personal data on the basis of consent only in limited cases (e.g. in marketing activities targeted at customers). Processing on the basis of consent is carried out under the exact conditions and within the limits set out in the consent. The data subject has the right to withdraw his or her consent at any time (please write to ). The withdrawal of consent does not affect the lawfulness of processing that took place prior to the withdrawal of consent.

4.7 Ridango processes personal data on the basis of a contract in order to enter into contracts with customers and to provide services to the customers.

4.8 Legal obligation. Ridango may process personal data to comply with its obligations under various laws, such as the Accounting Act, the Money Laundering and Terrorist Financing Prevention Act, the International Sanction Act and other applicable laws and regulations.

4.9 Legitimate interest. Ridango relies on legitimate interest to promote its customer relationships and business activities, for marketing activities and for the presentation and defence of claims. Also in the case of co-processing of personal data of the representatives/employees of customers where a contract is entered into with an organisation. In the case of legitimate interest, the processor assesses its own and the data subject’s interests. Processing on the basis of legitimate interest is only used in the case positive legitimate interest assessments. A data subject has the right to review the assessment of legitimate interest made about the processing of his or her personal data by writing to .

4.10 Ridango processes the personal data of customer representatives as follows:

 

Purpose Basis Personal data
Entering into contracts with customers and provision of the service to customers Legitimate interest (Article 6(1)(f) of the GDPR) if the contract has been made with a company; contract (Article 6(1)(b) of the GDPR) if the contract has been made directly with the data subject Contact details, the representative’s full name and position, information on the right to represent the organisation
Customer management/customer service (NB! Separate from private customer service) Contract (Article 6(1)(b) of the GDPR) or legitimate interest (Article 6(1)(f) of the GDPR) Contact details, communication information, accounting information
Feedback from customers for improving the service Legitimate interest (Article 6(1)(f) of the GDPR) Contact details, communication information
Marketing activities (newsletter to customers, social media marketing with cookies, campaigns, etc.) Consent (Article 6(1)(a) of the GDPR) or legitimate interest (Article 6(1)(f) of the GDPR) Contact details, communication information, technical information
Filing, proving and defending legal claims based on the performance of a contract or compliance with another legal obligation, or on the public or legitimate interest of Ridango, e.g. for the preparation and response to legal claims, communications, etc Legitimate interest (Article 6(1)(f) of the GDPR) All personal data may be processed
Video surveillance at Ridango’s office, limited processing of the personal data of customer representatives Legitimate interest (Article 6(1)(f) of the GDPR) Image
Organisation of accounting Law (Art 6 (1) c) of the GDPR) Contact details, accounting information
Auditing of accounts Law (Art 6 (1) c) of the GDPR) Contact details, accounting information
Development of IT systems (unless the Customer orders development work, in which case Ridango is the processor) Legitimate interest (Article 6(1)(f) of the GDPR) Generally anonymous, but all data may be processed

For each data category, the data processed will be the data required for the respective purpose and in the required volume. Please read the Privacy Policy in full for more details.

4.11 New purpose. Where personal data are processed for a purpose other than that for which they were initially collected, or not on the basis of the data subject’s consent or on the basis of Union or Member State law, which is a necessary and proportionate measure in a democratic society, Ridango will carefully assess the permissibility of such new processing pursuant to Article 6(4) of the GDPR. In order to determine whether processing for a new purpose is compatible with the original purpose for which the personal data were collected, the following is taken into account among other things:

(a) any link between the purposes for which the personal data are collected and the purposes of the planned further processing;

(b) the context in which the personal data are collected, in particular in relation to the relationship between the data subject and the processor(s);

(c) the type of personal data, especially whether special categories of personal data or personal data relating to convictions and offences are processed;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

5. Other processors and data transmission

5.1 Ridango may use (sub)processors for processing the data of Public Transport Users and customers when providing the Service. When transmitting personal data to a (sub)processor, Ridango ensures that the processors process the personal data in accordance with Ridango’s instructions, comply with confidentiality requirements and implement appropriate security measures.

5.2 These processors are, among others, service providers who provide:

5.2.1 IT services (can be all data);

5.2.2 customer service and a helpline for Public Transport Users (can be all data);

5.2.3 ticket resale services, i.e. a point of sale (Personalised or Non-personalised Travel Card information, Travel Card balance and transaction information);

5.2.4 accounting software (accounting information, information of customer representatives to a limited extent);

5.2.5 auditing service (accounting information, information of customer representatives to a limited extent);

5.2.6 security service (data of persons visiting the Ridango office, including the data of customer representatives, to a limited extent).

5.3 Other processors. Personal data may also be transmitted to:

5.3.1 Ridango Group companies for making the management and administrative decisions of the company;

5.3.2 the authorities and supervisory authorities entitled to receive the data;

5.3.3 other authorities, such as investigative bodies, law enforcement authorities, entitled to receive the data. Ridango considers the content and legitimacy of the request and provides the minimum data required;

5.3.4 processors providing payment services, financial service providers and financial institutions (in relation to payments);

5.3.5 legal, financial and other consultants; audit and other specialised service providers. All personal data may be processed depending on the needs;

5.3.6 for business operations (for example, mergers and acquisitions and various business transactions);

5.3.7 postal and telecommunications service providers (where applicable).

5.4 If you would like further information on the partners and processors used, please send an email to .

5.5 Place of processing. Personal data are generally not transmitted outside the European Economic Area (EEA). If a situation arises where it is necessary to transmit personal data out of the EEA, this will be done in accordance with the requirements of the GDPR (i.e. only to countries/institutions where adequate protection of personal data is ensured, or using EU standard clauses or other means permitted by the GDPR); data may also be transmitted with the explicit consent of the data subject, if such transmission is essentially one-off and takes place at the request and with the informed consent of the data subject. If you would like more detailed information on possible transmission, please write to . The texts of the EU standard clauses are available here. The data subject has the right to see the standard clauses used with regard to the processing of his or her personal data (if any), please write to . The list of the Data-Privacy Framework is available here. The European Commission has recognised adequate protection in the countries listed here.

6. Data retention deadline

6.1 Personal data are processed during the term of the contract with the customer or in accordance with the instructions given by the customer, or until the law no longer requires the retention of personal data. The personal data are then deleted or anonymised.

6.2 The personal data of the Public Transport User are not processed for longer than necessary. The retention period may depend on the contracts entered into by the Public Transport User, the legitimate interest of Ridango or applicable law (for example, limitation periods in accounting and legislation related to civil law).

6.3 We will keep the personalised Travel Card validation information until a new validation or for a maximum of seven days from the validation. After a new validation or after seven days, the validation record related to the personalised Travel Card will be deleted and a non-personalised record will be created, which contains the details of the travel, but no link to the Public Transport User and the Travel Card.

6.4 The results of queries to the Databases are stored for 30 days until a new regular data update query is made. The query result is then overwritten with the new query result.

6.5 As a rule, logs are retained in accordance with the agreement made with the controller (generally up to 1 year).

6.6 If you would like to receive more information on data retention periods, please send an email to .

7.Security of personal data and incidents

7.1 Ridango has established guidelines and procedures and uses different organisational and technical security measures to ensure the confidentiality and security of personal data. Organisational, physical and IT security measures are used, among others.

7.2 Ridango has an incident reporting procedure. In the event of a personal data incident, Ridango will do its best to mitigate the consequences of the incident and reduce similar risks in the future. Ridango follows the requirements of the GDPR when reporting an incident.

8. Rights of data subject

The data subject has the following rights in relation to the processing of personal data:

8.1 The right to request rectification of data if they are insufficient, incorrect or incomplete. In order to do this, please contact us by sending an email to .

8.2 The right to withdraw consent to the processing of personal data if the data are processed on the basis of consent, e.g. when contacting us yourself to apply for a job. You can withdraw your consent by sending an email to . The withdrawal of consent does not affect the lawfulness of previous processing.

8.3 The right to restrict the processing of your personal data in accordance with applicable law, including at the time you have submitted a request for the rectification or erasure of your personal data and Ridango is analysing whether the request can be complied with.

8.4 The right to request the erasure of one’s data, e.g. where data are processed on the basis of consent and the data subject withdraws consent. After the erasure of data, we may not be able to immediately erase all remaining copies from our servers and backup systems. Such copies will be erased as soon as reasonably possible. Erasure cannot be requested if the personal data for which erasure is requested are also processed on another basis, such as the performance of a contract or legal obligation. Therefore, please note that the personal data processed for compliance with legal obligations will not be erased before the deadline laid down by law.

8.5 The right to receive information on who processes your personal data and to receive an overview, including a copy, of the personal data processed.

8.6 The right to receive your personal data which you have provided yourself and which are processed on the basis of your consent or for the performance of a contract, in writing or electronically or, if technically possible, submit your data to another service provider (the right to data portability).

8.7 The right to object to the processing of your personal data where the processing is based on legitimate interest.

8.8 The right to access the assessment of the public interest or legitimate interest that is the basis for the processing of your personal data. In order to do this, send an email to .

8.9 Ridango does not use profiling or automated decisions that would comply with Article 22 of the GDPR. If Ridango starts to use automated decision making or profiling within the meaning of Article 22 of the GDPR that has legal consequences or a significant impact, Ridango will inform the data subject and extend the related rights to the data subject – in which case the data subject will have the right to object at any time, considering his or her particular situation, to the processing of the personal data concerning him or her on the basis of automated decisions and profiling, and to request human intervention. The data subject may also request an explanation of the logic behind the automated decision.

8.10 The right to lodge a complaint if you believe that your rights related to the processing of personal data have been violated, including with the supervisory authority and the court. Please contact us first to clarify the situation and find a suitable solution by writing to us at .

The data protection supervisory authority of Ridango is the Data Protection Inspectorate, whose website and contact details can be found here: https://www.aki.ee/et/inspektsioon-kontaktid/tootajate-kontaktid.

In addition, the data subject has the right to file a complaint in the EU Member State where the data subject resides or works or where the alleged breach of the GDPR took place. The contact details of EU data protection supervisory authorities can be found here.

8.11 Responding to requests and further information. The GDPR permits responding to the requests of data subjects in 30 days (this time may be extended in the case complex and voluminous requests by notifying the data subject according to the GDPR). If you wish to exercise any of the above rights, or need more information about your rights, please contact Ridango. Ridango may require additional information to identify the data subject before granting the rights related to personal data to the data subject. We may ask you to sign the request digitally or, if you sign it in hand, to provide an identity document (photo). This is to avoid giving the data to the wrong person.

9. Use of cookies in applications

9.1 The Ridango website uses cookies to ensure functionality and improve the user experience. The persons visiting the Ridango website can manage or delete cookies in their browser, but if they do so, some features of the application may not work properly – further information on cookies can be found in the notice at ridango.com.

9.2 Cookies are also used on the websites (applications) of Customers managed by Ridango. The exact cookies are determined by the Customer, but as a rule they are the following:

9.2.1 Google Analytics web analysis;

9.2.2 logs of queries made to the Application server;

9.2.3 cookies to track data traffic on the Application and how Users use the Application, including to collect the Service User’s IP address and browsing information.

9.3 The exact purpose for which cookies are used is determined by the Customer, but as a rule they are the following:

9.3.1 remember the User’s information;

9.3.1 analyse the behaviour and preferences of the Users;

9.3.2 improve the User Experience and ensure the proper functioning and security of the applications;

9.3.3 investigate the technical performance of the applications in the event of potential security incidents.

9.4 The Service User may stop the collection of data by Google Analytics at any time according to these instructions: https://tools.google.com/dlpage/gaoptout/.

9.5 The Service User can manage cookies or delete them (depending on the browser, cookies already stored on the Service User’s computer will be deleted selectively or in bulk). Most browsers can be configured to prevent cookies from being stored on a computer. In such a case, the Service User will probably have to manually adjust certain preferences each time he or she visits the Application, and some Services and features may not work.

9.6 Cookie information is usually valid for a short period of time (a day, a week or a month), but in some cases it can be stored for up to a year. The term of validity of the cookies is determined by the owner of the Application.

10. Amendments

10.1 Amendments to and entry into force of the Privacy Notice:

Publication Entry into force Main amendments
December 2025 December 2025 Second version of the Privacy Policy

We have re-mapped all Ridango’s personal data processing processes; linking the purposes of processing, the legal basis and the categories of data.
Until December 2025 First (previous) version of the Privacy Policy