The data controller is QBQUITY Sprl(we/us). You can contact us here:
Address: rue Général Molitor 14 - 1040 Brussels (Brussels) Belgium
Lawfulness of processing (why do we store and process personal data?)
The purpose of the BiCity Project and QBQUITY Sprl is to provide open geographic data to anyone, in particular data related to cycling and all services that are useful for cyclists.
Purposes of personal data processing
- To provide the federated authentication service in order to access the Resources requested by the User. To verify and monitor the proper functioning of the service and ensure its security (legitimate interest - art. GDPR 6.1 f).
- To fulfill any legal obligations or requests from the judicial authorities (GDPR art. 6.1 c).
- In order to guarantee the service requested by the user (GDPR art. 6.1 b).
- The controller processes your voluntarily disclosed personal data - only for registered users (name, surname, nickname, e-mail address, user preferences, geolocation) on the basis of your freely expressed consent (GDPR art. 6.1 a) for sending newsletters.
What data do we store and process?
When a User wants to actively contributes to BiCity Project, he/she can create an account, providing the following data (all required):
- Valid email address
- Name/First Name
- Surname/Last Name
Contributions to BiCity Project
When a Registered User actively contributes to BiCity Project by uploading data via the web or via mobile app, the data collected are the following:
- editing session meta-data. For example comments added by the user, any version and similar information added by the editing application, which editing application and which aerial imagery layers where used.
- user id and login name of the author of every change to an object and a timestamp when that change occured.
- the name, surname or nickname associated with your account.
- any blocks the user has received and associated messages.
- network access data (example IP addresses) for the systems and services operated by the QBQUITY Sprl (see“Data we receive automatically”).
Data we receive automatically
When you visit the BiCity Project website, access any of the BiCity Project services via a browser or via applications that utilize the provided APIs, records of that use are produced; we collect information about your browser or application and your interaction with our website, including: (a) IP address, (b) browser and device type, (c) operating system, (d) referring web page, (e) the date and time of page visits, and (f) the pages accessed on our websites.
Further we may operate user interaction tracking software that will generate additional records of user activity, for example AWstats.
Services that use Geo-DNS or similar mechanisms to distribute load to geographically distributed servers will potentially generate a record of your location at a large scale (for example the BiCity tile cache network determines the country you are likely to be located in and directs your requests to an appropriate server).
These records are used or can be used in the following ways:
- in support of the operation of the services from a technical, security and planning point of view.
- as anonymised, summarised data for research and other purposes.
- to improve the BiCity Project dataset. For example by analysing nominatim queries for missing addresses and postcodes and providing such data to the BiCity community.
The data collected on the systems will be accessible by the system administrators. No personal information or information that is linked to an individual will be released to third parties, except as required by law. The above mentioned data is processed on a legitimate interest basis (see GDPR article 6.1f ).
Who has access to the data
We do not share email addresses associated with accounts with any third party and they are only accessible to our operations and working group personnel that have signed confidentiality agreements. User to user messages are visible to the sender and recipient, other access is limited to our operations staff and only if required for operational reasons, to enforce our acceptable use policies, to fulfil any legal obligations and most notably to prevent SPAM.
Similarly, network access data is only used for internal purposes and access is limited to operating personnel for operational and vandalism and SPAM protection purposes.
Where do we store the dataThe website, API servers, databases and the servers for auxiliary services are currently located in the Netherlands.
Map tiles are provided by a global network of cache servers, which tile server your browser or app access is determined dynamically by geolocation of the IP address and selection of the cache server "nearest" to you. While in general this means that you will be using the tile cache physically nearest to you, this can be affected by
- uncertainties in determining the location of the client from its IP address
- operational issues (server downtime etc)
- network topology and load
User Rights according to the GDPRIn accordance with Articles 7, 13, 15, 16, 17, 18, 19, 20, 21, 22 of the UE Regulation 679/2016 you can, at any time, exercise the following rights, by contacting the Controller:
- the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed;
- the right to obtain the access to your personal data;
- the right to request from the Controller rectification or erasure of your personal data;
- the right to request from the Controller restriction of processing of your personal data;
- the right to object to the processing of your personal data;
- the right to receive the personal data concerning you, which you have provided to Controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (data portability).
Furthermore, if you believe that your rights have not been respected, you can file a complaint with the competent Supervisory Authority.
How can you control the processing of your data and reduce privacy related issues
While not required by law, we provide the following mechanism to reduce the exposure of potentially privacy related information for you.
- you can select a non identifying login name and change it at any time you want,
- you can request your account to be deleted (restrictions see below) and this will be conveyed to registered entities that are using our full data.
You can further reduce exposure by not adding personal information to the map data (personal names and similar). Such information is in general not considered to be an useful addition to our data and you should refrain from adding it.
The registered email address for a BiCity user account will never intentionally be published on the internet anywhere, shared with third party organizations, or revealed directly to other users. Only system administrators will have direct access to email address data associated with the BiCity account. It may be used by these people to contact users directly about their edits or other QBQUITY Sprl related issues.
The bicity.info website supports the display of Gravatars, these are retrieved from gravatar.com by generating a globally unique key from your e-mail address. Our website software will check on the initial signup and on every email address change if you have a Gravatar for the new address and start displaying it if one exists. You can stop this behaviour by explicitly turning Gravatar support off in your account settings. You should be aware that, if a Gravatar is displayed, the key can be used to track your account over any website that has Gravatar support.
The QBQUITY Sprl may conduct surveys within the users in order to determine the opinions and better to serve the community. Distributing surveys and processing their results may require the use of personal data such as names and email addresses. Personal data gathered or used in connection with surveys will be processed in accordance with applicable data privacy laws and will be retained only as long as reasonably necessary.
Email addresses of the users may be used to invite them to participate in surveys. If survey data are made publicly available the data will be anonymized. Anonymized survey data, which may be useful to QBQUITY Sprl in the future for comparison purposes, may be retained indefinitely in accordance with applicable data privacy laws.
Third party provided services and data
These are specifically:
Login via external services (social login and similar)
You can request your account to be removed and we will honor such requests as far as possible. If you have not actively contributed to the project we will not retain any records. If you have contributed your account will be renamed to user_<USERID> and contributions and changeset comments will be retained with this name. In your request for account removal you need to identify all accounts that are affected as we do not have information on which accounts belong to which BiCity id.
Duration of Data Storage
All personal data collected to provide the service (name, surname, e-mail address, nickname) will be stored for as long as necessary to provide the service.
The browsing data (for example, IdP service log records etc.) will be deleted after 14 (fourteen) days.
Longer retention periods are provided only in the event of a request by the judicial authority in order to ascertain crimes or for accounting or tax obligations to which the controller is subject.
Cross-border transfers of personal data
|__Host-refreshToken||Essential||1 week||It's used by the BiCity application to remember the logged user for the next 7 days|
|JSESSIONID||Essential||Session (expires when the brower closes)||It's used by the MAPQUEST when performing geo location of the address|