Privacy statements

1. XXImo

XXImo Holding B.V. and the companies affiliated with it (hereinafter referred to as ‘XXImo’) are Dutch enterprises. Our business activities take place in the European Economic Area (EEA) and we store our data on servers within the EEA, unless otherwise indicated.

2. General

This privacy statement summarises when and how your personal data is processed if you’re a customer of XXImo or in connection with the use of the XXImo Mobility Card and the related services such as the app and websites provided by us (hereinafter referred to as ‘Service’).

In our capacity as data controller, we process your personal data so that we can provide our Service to you and so that we can provide the best possible service to you as a holder of a XXImo Mobility Card. We will only use your personal data for that purpose.

We reserve the right to change the provisions of this privacy statement. Changes will only be made in connection with the purpose, described above, of providing you with the Service. If we change the privacy statement we will inform you of this. We advise you to examine the latest version of the privacy statement on a regular basis.

3. Which personal data do we collect?

Personal data can be collected in a number of ways when you make use of the Service. Below is a list of the information XXImo may collect. The list describes which personal data is processed, for which purpose, which legal basis the processing is based on and for which period the personal data is stored.

If you’re a XXImo customer or if you’re an ultimate beneficial owner of the XXImo customer

3.1 Processing based on legal obligations

3.1.1 Administration obligations based on tax laws, processing time 10 years

• Name
• Address
• Invoice data

Not providing the above-mentioned personal data may affect your use of the Service. We may block or restrict your access to the Service and we reserve the right to terminate the agreement or the right of use, as described in our general terms and conditions. The personal data specified here is required to comply with our statutory obligations.

3.1.2 Mandatory customer identification under financial legislation, processing time 8 years after the end of your relationship with XXImo

• Name
• Address
• Date of Birth
• Copy of ID card
• Email Address
• Which industry you work in
• Statement regarding origin of assets
• Gender
• Data from the UBO register
• Data as included in PEP or sanction lists
• Ticket number

We will only ask you for the data that we are legally obliged to process. For example, if the customer identification ends up in a more stringent regime, more data will be processed than if you fall under the simplified regime. The law determines which regime you fall under (for example, a politically exposed person falls into a heavier regime). Failure to provide the above personal data may have consequences for your use of the Service. We may block or restrict your access to the Service and we reserve the right to terminate the agreement or right of use, as described in our terms and conditions. The personal data mentioned in this section is required to comply with our legal obligations (such as the Wwft, the Dutch Money Laundering and Terrorist Financing Act).

3.2 Processing necessary to represent the legitimate interests of XXImo, processing time up to 1year after the contract with our customer comes to an end.

The personal data stated in this section are required to be able to apply for a demo, consultancy or contract with XXImo. XXImo must be able to communicate with the contact person of the (intended) customer and therefore has a legitimate interest in processing that data of the contact person.

• Name
• Business address
• Employer
• Function (not in case of an OMW2 application)
• Telephone number
• Email address
• Additional information provided

Not providing the personal data mentioned above or objecting to the processing thereof may have consequences for your company or employer’s ability to enter into a contract with us or to apply for a demo or consultancy.

If you’re a cardholder who uses the Service

3.3 Processing operations required for the performance of an agreement (the provision of the Service), storage period up to 2 years after the end of the agreement unless otherwise indicated

3.3.1 General / required for use of the Service

• Name
• Title
• Sex
• Date of birth
• Work-related position
• Employer
• Staff number
• IBAN number
• Username
• Password
• Credit card pin code (encrypted, we cannot consult it)
• PAN-number (the 16-digit number on the front of the credit card that we store encrypted)
• User Identifier (a file to associate your identity across various platforms)
• Car registration number and kilometre count (if mobile parking, refuelling and/or charging has been activated)
• The services you purchase
• Card budget

3.3.2 Card-related data (this data can be processed if you use the XXImo Mobility Card to pay)

• XXImo Mobility Card customer number
• Price of the transactions
• Composition of transactions
• Date and time of a transaction
• Purchased products (including, among other things, the type of fuel, travel class)
• Where the product was purchased (business name and location)
• Parking time and location
• Toll trip duration, toll payment location
• XXImo tag for electric charging (this personal data is shared with the electric charging supplier that you use)
• Electric charging sessions duration and address/location of the electric charging session (we receive this data from the electric charging supplier that you use)
• Collection and drop off point in case of taxi, shared car, rental bike use
• Destination and point of departure for flights and train journeys
• Date and time of flights and train journeys
• Other data submitted for the journey
• Hotel location and date of stay
• Point of departure and arrival in case of public transport use

This personal data is received from the company or organization where you use the XXImo Mobility Card (such as a gas station, electric charging station, hotel or parking place). We share the personal data mentioned above with IDT Financial Services Limited, which handles the transaction with VISA.

If you use your XXImo Mobility Card via Google Pay or Apple Pay, your card and transaction details may be shared with Google or Apple and we may receive transaction details from them. If you use OVPay via XXImo, we may receive transaction details related to your travels in public transport from Translink Systems B.V. and your card details may be shared with Translink Systems B.V.

3.3.3 Sorting files

• Time, date & place of use of the service
• Time, date & place of creation of files

3.3.4 Contact details

• Name
• Address
• E-mail address
• Phone number
• Content of correspondence

3.3.5 Employees and employers / resellers

If you purchase the Service through your employer, we will receive your personal data from your employer and we will share personal data with your employer.

If you purchase the Service through another party, the reseller, we will receive your personal data from the reseller and we will share personal data with the reseller. In that case we can also receive personal data from and share personal data with your employer.

Personal data that we will receive from your employer or reseller:

• All personal data, as specified under 3.3.1 (with the exception of the password)

Personal data that we will share with your employer or reseller:

• Name
• Employer
• Staff number
• All card data, as specified under 3.3.2

In order to find out how your employer or reseller handles your personal data, please refer to the privacy statement of your employer or reseller.

The personal data in this paragraph 3.3 that is collected and processed by XXImo will be used for:

• administrative purposes, such as collections and handling disputes;
• drawing up your monthly invoice or the monthly invoice of your employer;
• storing data for your or your employer’s obligation to keep records and your or your employer’s tax obligation;
• presenting detailed information and reports;
• communicating with you or your employer;
• recording agreements made;
• making the Service usable.

Not fully or correctly providing the above-mentioned personal data may affect your use of the Service. Your use of the Service may be impeded and it is possible that the Service will not function properly. We may block or restrict your access to the Service and we reserve the right to terminate the agreement or the right of use, as described in our general terms and conditions. The personal data specified here is required to have the Service function properly or to ensure proper performance of the Service.

3.4 Processing based on a legal obligation to transaction monitoring

• Cardholder Name
• Employer (the XXImo customer)
• Customer number
• Date and time of transaction
• Location of transaction
• Transaction ID
• Card ID
• Amount
• Receiver
• Receiver Location

Financial legislation (such as the Wwft) obliges us to monitor transactions in order to identify unusual transactions. This check takes place automatically, but if a unusual transaction is identified, a XXImo employee will investigate the transaction and determine whether or not the transaction is unusual. We will only monitor the data that we are legally obliged to keep an eye on and keep the data for a maximum of 5 years after the transaction date. We must report any unusual transactions to the FIU. We are not allowed to inform you about this in advance.

3.5 Processing operations in order to protect XXImo’s legitimate interests, storage period up to 2 years after your use of our Service

3.5.1 Improving our provision of services and your user experience if you use our app and/or website (by using Google Analytics)

• Operating system and browser information
• Settings preferences
• Visit and use history
• Reference address (from which website did you find our website)
• The manner in which you navigate our website and app
• Which of our website pages you visit
• IP address
• Unique identification number to identify you

3.5.2 Keeping the Service secure if you use our app and/or website

• Device ID
• User Identifier
• IP address
• Time, date & place of use of the service

3.5.3 In order to inform you about other services of XXImo if you already use a XXImo service, we process the following personal data until you use the unsubscribe option included with each newsletter

• Name
• E-mail address
• Address
• Sex
• Which Services of XXImo you use and how often you use them

Not providing the above-mentioned personal data or objecting to its processing may affect your use of the Service. We may block or restrict your access to the Service and we reserve the right to terminate the agreement or the right of use, as described in our general terms and conditions (this does not apply to the personal data specified under 3.5.3.). The personal data specified here is required to comply with the legitimate interests of XXImo and to prevent misuse of the Service and security incidents.

3.6 Processing with your permission

3.6.1 If you have given us permission or if you have requested this, we will process the following personal data in order to inform you about the XXImo service followed by you or about other XXImo services, storage period until use the unsubscribe option as included in each newsletter

• Name
• Address
• E-mail address
• Phone number

3.6.2 If you have given us permission or have requested such, we will process the following personal data in order to inform you and answer your questions, storage period up to 6 months

• Name
• Address
• E-mail address
• Phone number
• Content of correspondence
  

If you no longer wish to be informed about the XXImo service followed by you or about other XXImo services, please contact us at the e-mail address listed under ‘Contact’. You can also unsubscribe by following the instructions to unsubscribe that are included in every promotional e- mail. This will not affect our right and option to send you e-mails related to the Service and your account, or to use your personal data as described in this privacy statement.
Not providing the above-mentioned personal data or objecting to its processing will not affect your use of the Service. Refusing or withdrawing permission will not negatively affect your use of the Service.

4. Sharing of personal data

Unless otherwise specified in this privacy statement we will not share, sell or trade personal information about you with or to third parties.

4.1 Processing by processors

We may engage third parties, such as hosting providers, to assist us in providing the Service (hereinafter referred to as ‘Processor’). Those third parties may process your personal data in that context.

The types of Processors we may engage are:

• analytical software (including Google Analytics, set up in such manner that no personal data is shared with Google);
• BIN sponsors (VISA licensee);
• customer relation management software;
• third parties with which you use the XXImo Mobility Card;
• hosting providers;
• marketing;
• software developers;
• support;
• card manufacturer;
• software for customer identification;
• software for transaction monitoring;
• XXImo Mobility Card providers.

In some cases the Processor may collect your personal data on our behalf. We inform Processors that they may only use personal data that they receive from us in order to provide the Service. We are not responsible for any additional information that you provide to the Processors directly beyond our services. You must inform yourself about the Processor and their business before disclosing personal data to such Processors beyond our services.

4.2 Sharing with your employer / the reseller

If you use our Service as an employee or if our Service is otherwise made available to you through your employer, the personal data that is processed will be shared with your employer / the reseller as specified in paragraph 3.3.5.

4.3 Sharing with your permission

If we wish to share personal data with other parties other than as described in this privacy statement, we will only do so if we have a valid processing ground to do so.

4.4 Our statutory responsibility

We may share personal data if this is reasonably necessary or appropriate to comply with the law or a legal request of an authority. We may also share your personal data with third parties in order to respond to any claims by third parties or in order to protect the rights, property or safety of us, our users, our employees or the public and in order to protect us or our users against fraudulent, offensive, inappropriate or unlawful use of the Service. We will inform you as much as possible and will ask for your permission before we share data for those purposes, unless this is not reasonably possible or the law forbids this.

4.5 Anonymised information

We may anonymise personal data so that it cannot be traced back to you. We may use such anonymised information for our own use and share it with third parties without your permission.

5. Push notifications and local notifications

We may send you push and/or local notifications by text message and/or e-mail, for instance in case you have almost reached your spending limit, in case you still need to fill in your kilometre count after refuelling or in case you refuel at a filling station that has not been selected by your employer and/or to remind you of active mobile parking transactions.

6. Protection of personal data

We will make sure that we take appropriate technical and organisational security measures for the processing of personal data. We comply with generally accepted standards to protect your personal data, both during the transmission thereof and as soon as we have received the personal data. We have taken the following measures in any case:

• we have implemented physical and technical measures and management procedures designed to prevent unauthorised access, loss or misuse of personal data as much as possible;
• sensitive information or personal data, such as account passwords and other payment-related identifiable information, is sent in encrypted form;
• sensitive information (including your password) is stored in encrypted and/or hashed form where possible;
• we restrict the internal access to personal data to employees who require the information to perform their duties. Our employees are bound by a confidentiality clause;
• our information management systems are set up in such manner that employees who are not authorised to examine specific information or personal data do not, in principle, have access to such information;
• our servers are located in a secure environment in data centres in the Netherlands. You only have access to the front end of our servers and only by logging in by means of a username and password. You are responsible for keeping your login details safe;
• the personal data is backed up on a frequent basis.

We would like to point out to you that we cannot guarantee absolute security for the processing of personal data via the internet or a method of electronic storage.

7. Links to sites of third parties

Our Service may contain links or refer you to other websites, apps and advertisements of third parties that may keep information about you. We have no control over such sites or their activities. All data, including personal data, that you provide to such third parties is submitted directly to such third party and is subject to the privacy policy of the third party in question. We are not responsible for the content, privacy and security practices and the policies of third parties to which we link, refer or which advertise on our Services and/or websites and in our apps. We advise you to examine the privacy and security practices and the policies of the third party before you submit data to them.

8. Your rights

Privacy legislation gives you certain rights with regard to your own personal data. The rights that we describe below are not absolute rights. We will always consider whether we can reasonably meet your request. If we cannot meet your request, if you make manifestly unfounded or excessive requests, or if it would be at the expense of the privacy of others, we can refuse your request. If we refuse a request, we will let you know and explain our reasons.

Right of access

You have the right to request which personal data we process about you. You can also ask us to provide insight into the processing grounds, relevant categories of personal data, the (categories of) recipients of personal data, the retention period, the source of the data and whether or not we use automated decision making.
You may also request a copy of your personal data that we process. Do you want additional copies? Then we can charge a reasonable fee for this.

Right to rectification

If the personal data processed by us about you is incorrect or incomplete, you can request us to adjust or supplement the personal data.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.

Right to erasure

Do you no longer want us to process certain personal data about you? Then you can request us to delete certain (or all) personal data about you. Whether we will delete data depends on the processing ground. We only delete data that we process on the basis of a legal obligation or for the performance of the agreement if the personal data is no longer necessary. If we process data based on our legitimate interest, we will only delete data if your interest outweighs ours. We will make this assessment. If we process the data on the basis of consent, we will only delete the data if you withdraw your consent. Have we accidentally processed data or does a specific law require that we delete data? Then we will delete the data. If the data is necessary for the settlement of a legal proceeding or a (legal) dispute, we will only delete the personal data after the end of the proceedings or the dispute.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.

Restriction of processing

If you dispute the accuracy of personal data processed by us, if you believe that we have processed your personal data unlawfully, if we no longer need the data or if you have objected to the processing, you can also request us to restrict the processing of that personal data. For example, during the time that we need to assess your dispute or objection, or if it is already clear that there is no longer any legal ground for further processing of those personal data, but you still have an interest in us not deleting the personal data. If we limit the processing of your personal data at your request, we may still use that data for the settlement of legal proceedings or a (legal) dispute.

Right to data portability

At your request, we may transfer the data that we automatically process to execute the agreement or based on your consent, to you or another party designated by you. You can make such a request at reasonable intervals.

Automated individual decision making

We do not take decisions based solely on automated processing.

Right of restriction of processing and withdrawal of permission

If we process data on the grounds of a legitimate interest, you may object to the processing. If we process data on the basis of your consent, you may withdraw that consent. For more information, please refer to the relevant processing purposes above.

Exercising your rights

You can view, verify, update, correct or delete your relevant personal data collected by the website and the Service, by using the function designed for this purpose in the Service (at www.xximo.nl).

You can also send a request for access, correction, deletion, data transfer of your personal data or request for withdrawal of your consent or objection to the processing of your personal data to privacy@xximo.com.

To prevent abuse, we ask you to identify yourself adequately in the case of a written request for access, rectification or erasure. You can do this by sending a copy of a valid proof of identity. Do not forget to screen off your citizen service number and passport photo on the copy.

We strive to process your request, complaint or objection within a month. If it is not possible to make a decision within a month, we will inform you of the reasons for the delay and the time when the decision is expected to be made (no longer than 3 months after receipt).

Dutch Data Protection Authority

Do you have a complaint about our processing of your personal data? Please contact us. We are naturally happy to assist you. If we cannot come to a solution, you are also entitled to submit a complaint to the national privacy authority, in this case the Dutch Data Protection Authority. For this you can contact the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl.

9. Contact

If you have any questions, problems or comments concerning this privacy statement, please contact our data protection officer by e-mail at privacy@xximo.com, or by letter sent to Stadsplateau 11, 3521 AZ Utrecht.