Processing of personal data

IGP - Privacy Statement relating to the "bikeMi" Bicycle Sharing System

Who does this Notice apply to?

IGP (“we,” “us,” or “our”) takes your privacy very seriously and will collect and process your Personal Data in a secure manner. In order to protect your privacy, IGP acts in accordance with EU Data Protection Law, namely the General Data Protection Regulation 2016. Before you agree with this IGP Privacy Notice, we recommend you read it carefully. (This notice covers personal data processed by bikeMi. For information on other personal data IGP may process, please see the IGP Privacy and Cookies Notice on

This IGP Privacy Notice (“Notice”) applies to you, as a Smart Bike or Bike Scheme User (“User”); it explains to you as the Data Subject what Personal Data we process and how, when and why it is processed. It also explains your rights in relation to the processing of your Personal Data and how you may exercise those rights.

Why is this Notice important?

IGP operates a Smart Bike sharing service in the city of Milan called bikeMi (“Service”), which enables users to hire a bike through registration on, email, telephone, and the smartphone application, bike station, bike dock, or any other mechanism in place (“the Platforms”), in accordance with the terms of use found here In order to make this service possible we need to collect and process your Personal Data.

bikeMi has its registered office at Viale Regina Margherita 42 - Roma, company registration no 12710340154.

This Notice informs you of our practices with respect to the collection, use and disclosure of Personal Data which you provide to us via our Platforms, or from third party applications we have engaged to make the Service work effectively.

It also describes your data protection rights, including a right to object to some of the processing which IGP carries out. More information about your rights, and how to exercise them, is set out in the “Your Rights” section.

Personal Data” means personal information that identifies you as an individual or relates to an identifiable individual as defined under applicable European legislation (and in particular, the European General Data Protection Regulation).

What does this Notice do?

This Notice informs you of our practices from 25 May 2018 with respect to the collection, use and disclosure of Personal Data which you provide to us.

Why we collect Personal Data and on what legal basis?

We collect this information in order to make all functionalities of the Service available to you, namely:

  • to verify and process your order;
  • for invoicing;
  • to keep you posted on the progress of your order;
  • answer your question when you contact us;
  • to assist in retrieving a lost or stolen bike and administer support in an accident or incident.

also use the Personal Data to personalise our Platforms for you and improve your user experience to:

  • adapt and enhance our Platforms;
  • provide customer services;
  • process and administer subject access requests to data; and
  • resolve complaints (this may include verifying your personal details or having them verified by a third party if this is necessary in order to deliver personal services).

We do this because you have registered to use bikeMi and the legal basis upon which we rely to process this data is:

to fulfil the obligations of a legal contract which you enter into when you engage the Services; and

In our legitimate business interests and that of that of the city of Milan in connection with our agreement with them, where we manage bicycle furniture on behalf of the city of Milan. Under this agreement we may provide information about you to our support department and bike recovery team; in order to prevent fraud; communicate with you about delivery times, services and other updates and for statistical purposes where data will be anonymised.

Where we are required to do so by law, in our legitimate interests or where we need to protect your interests or someone else’s interests; we may share your details with local enforcement agencies, including the police, and to any competent judicial or administrative authority.

What Personal Data we collect, how and why?

Specifically, we may use the Platforms to collect the following Personal Data at the specified times and for these reasons (in brackets):

  • your first and second name when you first register with us (to identify you in order to operate the Service);
  • gender when you first register with us (to identify you in order to properly address you and for our statistical purposes);
  • name and contact details of parents or guardians of child bike users (in order to communicate with those contacts, verify the order, keep the parents updated of and provide important communication on the progress of the order and send parents information they might be interested in);
  • email address when you first register with us, (in order to identify you, verify your order, keep you updated of and provide important communication on the progress of your order and send you information you might be interested in);
  • billing and postal address when you first register with us, (to identify you, verify credit card details and process your order);
  • contact number when you first register with us and at any other point of the transaction, (to identify you, update you and communicate with you).
  • payment information, when you first register with us and at any other point of your subscription (to complete your order);
  • encrypted credit card data when you first register with us and at any other point of your subscription (to complete your order);Direct debit details and mandate when you first register with us and at any other point of your subscription, (to complete your order);
  • recorded calls when you contact our customer care team (for internal training purposes and to solve user complaints);
  • time stamps from calls and bike stations, including date and time, when you contact our customer care team or collect and return a bike, (to monitor calls for training purposes, to monitor duration of use, track the security of our bikes and to prevent unauthorised use);
  • secure login details if you register for our Platforms (to access secure or otherwise restricted parts of our Platforms e.g. to access your customer account, marketing preferences control panel securely);
  • twitter handle when you contact our customer care team (so we can respond back to you);

In some circumstances, we may request additional Personal Data to help us to provide you with the most appropriate response – and that use of Personal Data is as provided for in the Privacy and Cookies Notice If you do not provide Personal Data allowing us to process your use of the Service where requested, your access to the Service, or our ability to assist you, may be restricted.

Direct Marketing and Promotions

To make your experience of using bikeMi useful, we may rely on our legitimate business interest and use your email address to inform you about the development of Platforms, special offers and promotions. We may share your contact details with our partners of the smart bike/bike scheme upon explicit consent. If you no longer wish to receive this information, you can unsubscribe using the information provided below under “Opt-Out of Marketing and Promotions”.

Opt-Out of Marketing and Promotions

You have the right to opt out of receiving direct Marketing and Promotions communications by:

clicking on the relevant ‘unsubscribe’ link in the email;

contacting us at

changing your marketing preferences on bikeMi

letting us know at the time that you provide your Personal Data.

If you withdraw, where it has been provided, your consent to receive any further Marketing and Promotions communications from us, we will not contact you further for the purpose of direct marketing. This will not prevent you from using any of bikeMi Platforms.

If you have any queries or complaints about how we have handled your Personal Data, please contact

Sensitive or “Special Category” Personal Data

We will not ask for your Sensitive Personal Data except in the event we have to report a matter to the legal authorities.

Sensitive or “Special Category” Personal Data means Personal Data which may relate to: race or ethnic origin; political opinions; religious or other similar beliefs; trade union membership; physical or mental health; sexual life or criminal record. Where you do provide Sensitive Personal Data, we will keep it secure and for a proportionate amount of time, and only use that information in connection with the purpose for which it has been provided.

Children’s Personal Data

Our Platforms are not intended to target children under the age of 14. We will not knowingly process their Personal Data via our Platforms. We may process Personal Data of children aged 14 to 18 years old who are bike users, with parental or guardian consent only.

Your Rights

Under the European General Data Protection Regulation and other applicable legislation, you have rights over your Personal Data which include those listed below. To exercise any of these rights, or to obtain other information, such as a copy of a legitimate interests balancing test, you can get in touch with us using the details set out below.

Right to Rectification of Personal Data

If you advise us that your Personal Data is no longer accurate, we will amend or update it (where practical and lawful to do so). You can tell us about any inaccurate data by contacting our customer support team or update it yourself on the customer portal.

Right to Access Personal Data

Where permitted by law, you may have the right to contact us to request a copy of Personal Data that we hold about you. Before responding to your request we may ask you to (i) verify your identity and

provide further details so we can better respond to your request.

These rights may be limited, for example if fulfilling your request would reveal Personal Data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping that Personal Data. Relevant exemptions are included in both the GDPR and in local Data Protection legislation. We will inform you of relevant exemptions we rely upon when responding to any request you make.

You may also request from us to transfer your data to another entity. If you wish to exercise this right, please contact the customer support team

If you require further information on your rights or our use of your Personal Data, please contact us at info@bikemi. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred.

Right to Erasure or Restriction of Processing of Personal Data

You can ask us to delete or restrict processing of your Personal Data in some circumstances such as where we no longer need it, or you withdraw your consent (if we rely on consent for processing). We might be required to store some or all of your data to fulfil our legal reasons. If we’ve shared it with others, where possible, we’ll let them know about the erasure. If you wish to exercise this right, please contact the customer support team

Right to Withdraw Consent

You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. If, at any time, you have consented to us processing your Personal Data in the circumstances or purposes described above, and you no longer wish to have your Personal Data processed in this way, you may unsubscribe by contacting our dedicated customer support team

Rights in relation to Automated Decision-making and Profiling

ou have the right not to be subject to a decision when it’s based solely on automated processing or profiling which produces a legal or similarly significant effect on you. We only carry out this type of decision-making where the decision is necessary for the entry intoorperformanceofacontract;orauthorisedbyUnionorMemberstatelawapplicabletous;or based on your explicit consent.

Right to Portability

You can ask us to provide you with your personal data (that you provided to us or that we observed through your activities on our Platforms) in a commonly used and machine-readable format to send it to another controller.

Right to Object

You can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing if we are not relying on your consent).

Third Party websites

Where links from our Platforms are provided to non-IGP websites, we are not responsible for those websites and nor do we imply endorsement of any the linked third party websites. These third-party websites will be governed by different terms of use , depending on the owner and data controller of those websites(including privacy notices) and you are solely responsible for viewing and using each such website in accordance with their own applicable terms of use. We are not responsible for how your Personal Information is handled by such third-party websites. These websites are not covered by this Notice unless otherwise specified in this Notice.

Security of Personal Data

Your Personal Data (and commercial information) will be kept as confidential and as secure as possible. We employ appropriate technical and organisational measures consistent with our legal obligations and standard industry practice. Further, as required by the GDPR, we follow strict security procedures in the storage and disclosure of Personal Data which you have given to us, to prevent unauthorised access as far as reasonably possible.

We use industry standard practices to safeguard the confidentiality of your Personal Data, including “firewalls” and Secure Socket Layers, including compliance with the Payment Card Industry Data Security Standard. We treat your Personal Data as an asset that must be protected against loss, alteration, destruction and unauthorized access and which our employees and representatives must keep confidential, and we use many different security techniques to protect your Personal Data from unauthorized access by users’ inside and outside of bikeMi. We also use internal protections to limit access to users’ Personal Data to only those employees or representatives who need the Personal Data to perform a specific function. It is impossible to guarantee security, but we commit to taking appropriate action in the event of a breach.

We will inform you, as long as it is reasonable to do so, if your Personal Data has been breached.

Transfer of Personal Data

Third Parties

We transfer your personal data where we use third party service providers (as more fully described in this section below) to help us process Personal Data for the purposes described in this Notice, these will include customer management and intelligence solution providers, aggregated data analytics partners, web hosting facilities, audit and compliance partners.

We may receive and send information about you, including your Personal Data, if you use any of our Platforms to our partners or sub-contractors (Data Processors) in technical, payment, identity verification and delivery services, analytics providers or credit reference agencies;

We only share your Personal Data with third parties in the following cases:

Where it is necessary to involve a third party service provider, for the performance of our contract with you in order to provide the Service (e.g. a payment processor when we charge you fees in relation to the Service);

On the grounds of our legitimate business interests, namely:

As part of the booking process, we may use multiple IT applications to provide the Service to you.

With a service provider engaged in maintenance of our platforms;

We use analytics and search engine providers to assist us in the improvement and optimisation of our Platforms.

We may also disclose your information if required to do so by law or in a good faith belief that such access, preservation or disclosure is reasonably necessary to (i) respond to claims asserted against us (ii) to comply with legal proceedings, (iii) to enforce any agreement with our users such as our Terms and Conditions and our Privacy Notice, (iv) in the event of an emergency involving the danger of public health, death or physical injury to a person (v) in the framework of investigation or (vi) to protect the rights, property or personal safety of bikeMi employees and representatives.

If you require further information on our Third Party processors you can contact us at

Transfers outside the European Union

Non-European countries may have data protection laws that are less protective than the legislation where you live. Where this is the case (such as the United States), our transfers of Personal Data will be regulated by standard contractual clauses relating to the transfer of Personal Data outside of the European Union (or outside of jurisdictions deemed “adequate” for data privacy by the European Union). We will not transfer your data outside of the European Union for any other reason than described in this Notice, unless we are required to do so by operation of law.

Sale or Merger

If bikeMi or its assets are sold to or merge with another entity you should expect that some or all of the Personal Data collected by us may be transferred to the buyer/surviving company.

Retention of Personal Data

We will retain your Personal Data for the duration of your relationship with us to fulfil the purposes for which we collected it. After our relationship ends, we will retain your Personal Data in accordance with our retention policy which has been determined based on the purpose for which we process your Personal Data, the volume, type and context of the Personal Data, local legal requirements, the risk of harm to the data protection rights of the individual and whether the purpose for processing Personal Data can be established through an alternative method. The retention period that applies to most Personal Data is ninety days, but different retention periods may apply when it is necessary for us to:

•comply with any legal, regulatory, accounting and reporting requirements, and

•establish, exercise or defend any legal rights or claims.

We or our third party data processors will dispose of your Personal Data at the end of the relevant retention period, or anonymise it so it no longer identifies you.

For further information regarding the specific retention periods we apply to your Personal Data please contact us at

Contact us

Should you wish to make any comments, complaints, enquiries or if you have any questions relating to this Notice, your rights, the Platform, our Marketing and Promotion materials or Services we provide, you may contact IGP S.p.A

writing to us by e-mail or by regular and/or registered mail to the following addresses:

by e-mail:

by regular and/or registered mail:

IGP S.p.A.

Via Benigno Crespi, 57

20159 Milano (MI)

Changes to this Notice

This Notice is subject to periodic review to ensure it is in line with applicable legislation. We retain all applicable ownership rights to information we collect. We reserve the right to change, modify, add or remove provisions of this Notice. Any changes to this Notice will be posted here, and we encourage you to check back from time to time. If the changes are substantial, we will notify the changes to you.