Privacy Policy

Preamble

The Bordeaux Métropole Transport Network (TBM) is operated by Keolis Bordeaux Métropole Mobilités on behalf of Bordeaux Métropole, the organizing authority.

We make every effort to protect your personal data in accordance with applicable European and French regulations.

This privacy policy ("Privacy Policy") is intended to inform you about the purposes and conditions under which we process the personal data that we may collect through various channels, such as our commercial services, the websites we offer such as www.infotbm.com, our mobile applications (TBM, etc.), our social networks, or even our possible events.

Our Cookie Management Policy, accessible in the "Cookie Management" section in the footer of the website www.infotbm.com, complements this Privacy Policy to inform you about the purposes and conditions of use of cookies or browsing data that may be deployed on our websites. For mobile applications, the applicable Cookie and Tracker Management Policy can be found within the application.

We invite you to take the time to read this Privacy Policy to have all the useful information allowing you to understand the use made of your personal data and to freely and fully exercise the rights guaranteed to you by the applicable laws and by this Privacy Policy.

General Provisions

  1. Data Controller

As operator of the Bordeaux Métropole Transport Network (TBM) on behalf of Bordeaux Métropole, Keolis Bordeaux Métropole Mobilités is the joint data controller with Bordeaux Métropole for your personal data collected and processed, unless we specify that Keolis Bordeaux Métropole Mobilités is the sole data controller.

  1. General Terms of Use

This Privacy Policy is an integral part of the General Terms of Use (CGU) of the website www.infotbm.com and its online services, the General Terms of Sale and Use (CGVU) of our services, or the General Terms of Use (CGU) for certain of our applications and must be read in conjunction with them. These conditions are accessible in the "CGV and Legal Notices" section: https://www.infotbm.com/en/general-sales-conditions-and-legal-notices.html. For mobile applications, the applicable CGU can be found within the application.

  1. Applicable Law and Competent Administrative Authority

The Privacy Policy is governed by the General Data Protection Regulation No. 2016/679 ("GDPR") and by the Data Protection Act No. 78-17 of January 6, 1978, as amended ("Data Protection Act"), under the regulatory control of the French data protection authority, the CNIL (National Commission for Information Technology and Civil Liberties – www.cnil.fr).

  1. Links to Third-Party Websites

The websites we offer and our mobile applications may contain or use links to websites, mobile applications, products, or services that are operated by third parties (including advertising sites, our partners, or social networks). We remind you that the Privacy Policy does not extend to these third parties over which we have no control and for which we cannot be held responsible. We encourage you to familiarize yourself with the privacy policies, procedures, and practices of these third parties.

  1. Protection of Minors

For the purpose of providing our products and services digitally, we may collect personal data from minors under the age of 16, under the control and with the consent of their legal representatives (parents or guardians). Users of our digital services who inform us that they are under the age of 16 have a discretionary right to delete their data (subject to our legal retention obligations described in Article 3 "Use of Data Collected and Retention Periods" below), which they can exercise directly or through their legal representative, at any time and without cause, by contacting us under the conditions of Article 9 below "Contact Us."

2. Personal Data We Collect

  1. The Privacy Policy applies to personal data that we may collect from you or about you (see below), from the following sources:

Completion of subscription or collection forms on paper or electronic media that we offer or during operations or events that we organize and in which you participate; Visiting one of our physical points of sale, requesting information and/or purchasing one of our services; Contact request or exchanges by email/ mail and/or by phone with our customer service; Receipt of supplier/prospect information in the context of pre-contractual and contractual relations management; Processing of CCTV images from cameras installed in our publicly accessible facilities (commercial agencies, transport vehicles); Validation of tickets, access control to our services (urban, collective or individual transport, medicalized, vehicle parking, etc.), or processing of infractions and fine recovery; Use of our services, including our ticketing systems and applications, as well as on-demand transportation services, reduced mobility transportation, and/or bicycle mobility services via self-service/bike parking lots; Processing of infractions and fine recovery; Browsing on the websites we offer or use of our mobile applications; Receipt and sending of emails, text messages, and other electronic messages between you and us; Telephone or voice exchanges between you and us, or one of our service providers; Exercise of your rights under the GDPR addressed by mail and/or email to Keolis Bordeaux Métropole Mobilités; For recruitment, receipt, and management of your application by Keolis Bordeaux Métropole Mobilités, via your submission by mail and/or email and for the establishment of a resume database; The mandatory information requested during collection is indicated by an asterisk. Without providing the mandatory information, your order or request cannot be processed.

  1. Concerning Geolocation

The infotbm.com website and TBM mobile applications offer a geolocation functionality only intended to automatically position the map where the user is located when using the website or mobile application (geographical position, including your latitude and longitude). Geolocation data is neither recorded, stored, nor used. The use of the geolocation functionality of the infotbm.com website is possible after the user has given prior and express consent to be geolocated. The geolocation function is directly managed by the user in the settings of their web browser. They must accept that the infotbm.com website may use it to benefit from the functionality. Users can enable or disable the geolocation function of their web browser at any time, under the geolocation function. The use of the geolocation functionality of the application is possible after the user has given prior and express consent to be geolocated. The geolocation function is directly managed by the user in the settings of their mobile device and must accept that the application may use it to benefit from the functionality. Users can enable or disable the geolocation function of their device at any time, under the geolocation function of the application.

Utilization of Collected Data and Retention Periods

We collect and use personal data about you for the main purposes described below. We only retain your personal data for as long as necessary to fulfill the various purposes, except where the law allows or requires us to keep them for longer. These maximum retention periods apply unless you request the erasure or cessation of use of your data before their expiration for a reason compatible with any legal obligation that may apply to us.

The table below summarizes the various maximum retention periods applicable:

 

Purposes Types of Data Collected Storage Periods
Management of user accounts on our Sites and/or applications Connection data, Identification data 1 year from user inactivity
Management of commercial prospecting and sending of news to customers and prospects Identification data, Personal life data 3 years from the end of the contractual relationship for the client and from the last contact initiated by the prospect
Management and registration for tram/bus/Bat3/P+R (park and ride) / P+V (bike parking) transport services Identification data, Bank data 3 years from the end of the contractual relationship for prospecting. 5 years from the end of the contractual relationship.
Management and registration for on-demand transport service Identification and connection data, Pickup and destination address, date, time place Data will be deleted/anonymized 2 years after the last reservation. Journey histories will be retained for 12 months/rolling year). Contractual relationship data is kept for 5 years after its end.
Management and registration for reduced mobility transport services Identification data, Data necessary to validate service registration (handicap card, etc.), Pickup and destination address, date, time place, information about the necessary disability during pickup Registration data kept for the duration of the application study and validation. If the application is approved, only data necessary for the service will be retained and/or collected and processed as part of the service. Customer data will be deleted/anonymized 2 years after the last reservation. Journey histories will be retained for 12 months/rolling year. Contractual relationship data is kept for 5 years after its end.
Management and registration for long-term subscription bike-sharing services Identification and connection data, Pickup and destination address, date, time place 3 years from the end of the contractual relationship for prospecting. Contractual relationship data is kept for 5 years after its end.
Management, issuance, and use of transport tickets (customer relationship management, distribution of supports and transport tickets, management of sales channels and validation of tickets) Identification data, Validation data, Photo Data related to the customer relationship is kept for the duration of the contractual relationship and 3 years after its end for customers and prospects. Data related to complaints, in the post-payment context (billing information, including validation data, except for location data), are kept for 4 months from the date of events (then 13 months in intermediate archiving). Data related to unpaid bills are removed from the opposition list upon regularization. In the absence of regularization, data is kept for a maximum of 2 years. Validation data may be kept for a maximum of 48 hours and solely for the purpose of combating technological fraud. The data is anonymized for statistical use. The photo is kept for the validity of the Network subscription card, unless opposed by the holder.
Registration and sending of the newsletter / sending of traffic alert Identification data Until the client unsubscribes
Conducting surveys of usage and satisfaction with services Identification data, Travel and service usage habits Anonymization of responses after survey completion and study
Response to your information / questions requests Identification data and request details Requests received, Responses provided
Participation in the "Ma voix, mon réseau" panel Identification data, Personal and/or professional life data 1 year after unsubscribing from the panel
Management and archiving of purchases and service provisions, warranties, billing, recovery Identification data, Order and subscription data, Payment data 10 years from the last event, except for payment data, which are processed by Keolis Bordeaux Métropole Mobilités' payment service providers only for the duration of the payment transaction prescription
Complaints management Identification data, Order and subscription data, Responses provided 5 years from the closure of the complaint
Management of reports of incivility, violence, harassment made by users Identification data, Description of the report 1 year from the report, then deleted or anonymized
Follow-up of issued minutes and corresponding fines Identification data, Location data, Data relating to offenses Until the fine is paid
Detection of the habitual offense N/A Maximum 12 months
Issuance of regularization bulletins, processing of reminders and subsequent complaints following a finding of an offense N/A 1 year in active base then 2 years in archive
Management of cookies: audience measurement Cookies Please refer to our Cookie Management Policy for data retention periods related to cookie management.
Prevention of incidents, findings of offenses through the use of body cameras Images and sounds, Location data Maximum 6 months
Prosecution of offenders and evidence gathering in case of judicial, administrative, and/or disciplinary proceedings through the use of body cameras Extracted images and sounds, Location data Duration of the procedure
Management of video protection in commercial premises and in transport vehicles Images, Identification data, Location data Maximum 7 days
Recording of calls to the customer relations center for training purposes and in case of incidents Call sounds, Identification data Maximum 6 months
Recording of emergency calls at station Call sounds Maximum 1 month
Management of your recruitment and creation of a CV database Identification data, Professional and personal life data (CV, etc.) Duration of the study of applications then maximum 2 years from sending the response, if you are not selected in order to contact you for other opportunities, unless you object
Conducting statistical analyses on network usage Anonymous statistics Anonymous
Management of contests Data necessary for participation in contests and selection of winners Duration of the contest until the prizes are awarded (archived for 5 years)
Management of lost and found items Identification data, Banking data, for due fees 12 months from registration for the service
Management of requests to exercise rights and information under the GDPR Identification data including identity documents Requests received, Responses provided
Management of pre-litigation and litigation, evidence gathering Data necessary for the ongoing procedure Duration of the procedure

4. Legal Bases for Processing Personal Data

In accordance with applicable regulations, we process your data when we have a legal basis that allows us to do so. This may be contractual performance (1), your consent (2), legitimate interest (3), or a legal obligation (4).

  1. Processing purposes based on the legal basis of contractual (or pre-contractual) performance:
  • Registration and management of TBM services;
  • Management and registration for tram/bus/Bat3/P+R (park and ride) transport service;
  • Management and registration for on-demand transport service;
  • Management and registration for transport services for people with reduced mobility;
  • Management and registration for long-term subscription and bicycle shelter bike-sharing services;
  • Management, issuance, and use of transport tickets;
  • Management and logging of purchases and service provisions, guarantees, recovery, billing;
  • Provision of network news and any incidents and disruptions observed in the provision of our services;
  • Handling of complaints.
  1. Processing purposes based on the legal basis of your consent:
  • Management of your user accounts on our websites and/or applications;
  • Management of commercial prospecting and sending news to customers and prospects;
  • Newsletter subscription and distribution/alerts for traffic updates;
  • Conducting satisfaction surveys;
  • Participation in the "My Voice, My Network" panel;
  • Management of cookies and trackers on our websites and applications excluding technical cookies and trackers necessary for operation;
  • Establishment of a resume database.
  1. Processing purposes based on the legal basis of legitimate interest:
  • Handling of your information/queries;
  • Management of reports of incivility, violence, harassment made by users;
  • Management of competitions;
  • Recording of calls to customer service centers;
  • Management of lost items;
  • Handling of pre-litigation and litigation, evidence gathering: data necessary for ongoing procedures;
  • Recording of calls on station intercoms (emergency calls);
  • Conducting statistical analyses on network usage;
  • Organization of contests and awarding of prizes;
  • Implementation of experimental body-worn cameras in accordance with Article 113 of the Mobility Orientation Law;
  • Implementation of video protection in areas for the security of property and persons in accordance with the Internal Security Code;
  • Management of personnel recruitment by Keolis Bordeaux Métropole Mobilités.
  1. Data collected on the basis of legal obligation:
  • Management of fraud and recovery of fines, as well as detection of habitual offenses;
  • Management of your requests to exercise rights (access, rectification, opposition, etc.) under the GDPR.

5. Data Transmission

Your personal data may be disclosed:

  1. Internally

To authorized departments of Keolis Bordeaux Métropole Mobilités who need to know them for the aforementioned purposes, including customer service, human resources, security and fraud department, sworn agents, security service authorized personnel, legal department, etc.

  1. Within the Keolis Group

We may share your personal data with certain entities within the Keolis Group (e.g., Keolis SA and Keolis Solution) to ensure the continuity of our services, our relationship with our clients, prospects, or users, the websites we offer, and mobile applications.

For personnel recruitment, if you apply through the Keolis Group recruitment portal, your account and application data will be processed by Keolis SA as a separate data controller, which will transmit your application for processing by Keolis Bordeaux Métropole Mobilités as a separate data controller.

  1. With Service Providers, Subcontractors

We may disclose your personal data to trusted third parties (service providers, subcontractors), located within or outside the European Union, to assist us in operating our services, including ensuring the proper functioning of the websites we offer and mobile applications.

In the context of personnel recruitment, your personal data processed in the management of your application may also be disclosed to service providers, as well as to external organizations if they are employed by Keolis Bordeaux Métropole Mobilités as part of recruitment processes (recruitment agencies).

  1. To the Organizing Authority and Transport Operators of the Region/Department

As part of the interoperability of certain tickets and subscriptions, ticketing customer data may be transmitted to the organizing authority and/or to other operators exclusively to ensure interoperability of the tickets.

At the end of the Public Service Delegation, your customer data will be transmitted to the organizing authority and/or to the new transport operator of the TBM network to ensure continuity of the public service.

Your customer data may be transmitted to the organizing authority as a joint data controller.

  1. To Commercial Partners

We share certain pseudonymous data, containing no direct identification elements, for the purposes described in Article 3 "Use of Data Collected and Storage Periods" above, concerning cookies and trackers collected with partners who collect and process these cookies/trackers. These partners are separate/co-responsible for the processing regarding the processing carried out.

  1. To Third Parties for Legal Reasons

In cases where we are required to comply with laws and regulations and legal requests and orders or if permitted by law (i.e., for the protection and defense of rights, situations threatening life, health, or safety, etc.), such as transmitting unpaid fines to the Public Prosecutor's Office, or transmitting video protection images to the Judicial Police in the event of a judicial requisition.

If you have formally consented, some of your data may be transmitted to commercial partners and/or to the organizing authority exclusively for the intended purposes.

  1. In Any Case

In any case, we always require these recipients to provide sufficient confidentiality and security guarantees and to take the necessary physical, organizational, and technical measures to protect and secure your personal data in accordance with applicable law.

All of your personal data is primarily processed and hosted within the EU. However, data transfers outside the EU may occur. Any transfer of your data outside the EU is made with appropriate safeguards that comply with applicable regulations, either because the recipient countries benefit from an adequacy decision or because these transfers are framed by the implementation of Standard Contractual Clauses validated by the European Commission. For more information on the framework for these transfers, you can contact us at the contact addresses indicated in Article 9 below "Contact Us".

6. Data Security

We secure your personal data by implementing appropriate physical, organizational, and technical measures to prevent unauthorized access, use, disclosure, alteration, or destruction, in accordance with applicable regulations.

These measures include:

  • Storage on secure servers;
  • Securing your data, particularly through pseudonymization processes, encryption of transmitted data, and the implementation of means to ensure the confidentiality, integrity, and availability of your data;
  • Limited access to your data on a "need-to-know" basis;
  • Implementation of internal organizational measures to protect your data, including the establishment of a procedure for managing personal data breaches.

Although we implement all possible measures to protect your personal data, we cannot guarantee the security of information transmitted on the websites we offer or mobile applications when there is a security flaw affecting your device or browser.

7. Your Rights Regarding Your Personal Data

Under the GDPR and the Data Protection Act, you have various rights, including:

  1. Access, Modification, Update, and Deletion of Your Personal Data

You can request access to your personal data held and processed by us, review it, obtain a paper or electronic copy, and request correction, updating, or deletion.

  1. Objection

You can request at any time that certain of your data no longer be processed.

  1. Portability

You can request that your data undergoing processing be provided to you in an open and machine-readable format, either for your personal use or for transfer to another data controller.

  1. Limitation of Processing

In certain cases, you can request that the processing of your data be limited.

  1. Complaint to a Supervisory Authority

Without prejudice to any other legal remedy, you have the right to lodge a complaint with the supervisory authority of the European Union country in which you reside, work, or where you believe a violation of your rights has occurred.

  1. Post-mortem Fate of Your Data

You have the option to determine the post-mortem fate of your data.

  1. You can exercise all of these rights by sending us a written request, accompanied by proof of identity (when necessary to verify your identity), to the contacts mentioned in Article 9 below, "Contact Us."

We will endeavor to respond to your requests promptly and in accordance with applicable regulations. However, in some cases, we may not be able to respond favorably to comply with our legal or contractual obligations.

8. Cookie Management

Cookie management is governed by our Cookie Management Policy available [here](link to the cookie management policy). For mobile applications, the applicable Cookie and Tracker Management Policy can be found within the application.

9. Contact Us

To exercise your rights or for any questions regarding the Privacy Policy, please contact us at the address below. For any questions regarding the processing of your personal data, you can contact the Data Protection Officer of Keolis Bordeaux Métropole Mobilités:

By postal mail: Keolis Bordeaux Métropole Mobilités - Data Protection Officer - 12 Boulevard Antoine Gautier, 33082 Bordeaux Cedex

Via this form

Note: Postal or electronic mails addressed to the Data Protection Officer of Keolis Bordeaux Métropole Mobilités are reserved for exercising the Customer's rights regarding their personal data. They cannot be used for inquiries, modifications, or termination of TBM subscriptions or complaints.

10. Modification of the Privacy Policy

Keolis Bordeaux Métropole Mobilités may make changes to the Privacy Policy.

We encourage you to regularly check this page to review any modifications and stay informed about the measures we are taking to protect your personal data.

The Privacy Policy was last updated on September 26, 2023.