Effective Date: 12/13/2020
Your Privacy Matters to us.
The Los Angeles Metropolitan Transportation Authority’s (“Metro,” “we,” “us”) MicroTransit Program (“Micro”) is designed to expand and personalize your transportation options. As you share your Personal Information with Metro, we want you to understand what Personal Information we collect, for what purposes, and what privacy options are available to you. Please refer to the Glossary at the end of this policy for definitions of certain capitalized terms.
Information We Collect.
The Micro program collects a variety of information about you resulting from your direct requests, your use of the Micro website [www.metro.net/microtransit or www.metro.net/micro or https://book.metro-micro.net and https://api.metro-micro.net] (the “Website”) or the Micro mobile application (the “App”). This Personal Information is used to provide the Micro program, respond to your requests, provide customer support and to comply with legal and contractual obligations.
We collect Personal Information automatically and directly from you when you call us, email us, use the App or Website, create, update or access an account with Metro, or visit Customer Service. Personal Information we may collect directly includes:
- phone number,
- email address,
- physical address,
- physical limitations and medical requirements,
- physical description,
- physical description of mobility devices
- physical descriptions of cargo,
- customer location information,
- referral information,
- credit card and other financial information, and
- other information we request or that you provide to us manually.
- Personal Information we may collect automatically includes:
- phone number,
- IP (internet protocol) address,
- device identifiers for tracking,
- system log data,
- geographic location,
- travel pattern data,
- website usage and related data,
- physical limitations and medical requirements, and
- other information available as a result of new or combined Metro technologies.
If any Personal Information is requested on the Website or App, and provided by you, such information is governed by all current or future state and federal laws and regulations including those which address personal information collection, use, distribution and maintenance (the “Applicable Law(s)”) including without limitation California Civil Code Sec. 1798 et seq., the California Public Records Act, and the Federal Privacy Act.
Storage and Data Retention.
Metro processes and stores data in the United States for processing, back-up and recovery purposes. If you live outside of the United States, you understand and agree that we may transfer your Personal Information to the United States. The Metro Website and App, and Micro program are subject to United States laws, which may not afford the same level of protection as those in your country.
We will retain your Personal Information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Please note that retention periods may vary depending on the type of information, how it is used, and relevant legal requirements in accordance with Applicable Law.
How We Use Your Personal Information.
The Metro Micro program does not sell or lease your Personal Information. When you provide Personal Information to us, we use this information for limited purposes including to:
- provide, operate and maintain the Micro program,
- facilitate the Micro program as you direct us,
- inform new service offerings and products under the Micro program,
- analyze ridership trends, statistics and service metrics,
- process payments by debit card, credit card, digital wallets or TAP card stored value or pass programs,
- understand how users are engaging with us and improve the Micro program,
- communicate with you, including providing discounts and rewards,
- detect security incidents and protecting Metro against malicious, deceptive, fraudulent, or illegal activity, including identity theft, and
- undertake other activities as required by Applicable Law.
Disclosure of Your Personal Information.
The Metro Micro program only shares your Personal Information with Service Providers as required for the uses of your Personal Information identified in the “How We Use Your Personal Information” section above. Specifically, we share Personal Information including your name, geographic location and travel pattern data with our Service Provider contracted to provide the Micro program. As well, your Financial Information is shared with financial institution Service Providers (credit card processors) to process payments. We may also share your Personal Information where required to do so by Applicable Law.
Cookies and Similar Technologies.
Some web browsers may have features that can notify you when you receive a cookie or prevent cookies from being sent. If you disable cookies, however, you may not be able to use certain functions of our Website or App or they may not perform as expected.
Metro does not respond to browser-initiated Do Not Track signals, as the internet industry is currently still working on Do Not Track standards, implementations, and solutions.
The Website may offer social sharing features or other integrated tools, which let you share information you provide via the Website or the App with other media, and vice versa. The use of such features enables the sharing of information with your friends or the public, depending on the settings you establish with the third party that provides the social sharing feature. The fact that we link to or provide integrated tools for sharing with social media sites is not an endorsement, authorization, or representation of our affiliation with that social media site, nor is it an endorsement of their privacy or information security policies or practices. The collection or processing of your information as a result of any social sharing is governed by the agreements and privacy policies of such other social platform, not Metro, and you should review and approve your information, rights and preferences with such other platform(s).
A Note to Parents and Children Under 13.
We recognize the importance of protecting the privacy of children. Metro’s Website and App are not intended for children under the age of 13 and we ask that they not use the Website or App. We do not purposefully or knowingly solicit or collect any information, including Personal Information, from children under the age of 13. We expect all information provided by online or mobile users to be truthful and correct regarding age.
If a parent or guardian becomes aware that a child under 13 has provided us with Personal Information, the parent or guardian should contact us (see Contact Us section below), and we will delete such information within a reasonable time.
How You Can Update or Maintain Your Personal Information.
We take reasonable steps to ensure that all Personal Information we collect is maintained as submitted by you to Metro, so that our records reflect your information for its intended purposes, which may include customer correspondence, compliance and legal considerations, auditing, security and fraud prevention, and preserving or defending our rights.
Non-United States Data Protection Laws.
Rights of EU Data Subjects.
The European Union (EU) data protection law known as the General Data Protection Regulation (GDPR) give individuals in the EU more control over their Personal Information and regulate businesses that store Personal Information.
If the processing of your Personal Information is subject to the GDPR, whenever we use or share your Personal Information, we ensure that we have identified a legal basis under which such processing may occur. As described in more detail in the “How We Use Your Personal Information” section above, when we use your Personal Information in connection with a request, order, transaction, or to provide you with services that you requested (such as the use of the Website or App), We do this because it is necessary for the performance of an agreement with you.
Furthermore, to the extent the GDPR is implicated, where we use your Personal Information in relation to improvement, development, or marketing of our products or services, for reasons of safety and security, or to satisfy regulatory requirements, other than in connection with our agreement or request, we do this on the basis of our (or a third party’s) legitimate interests or with your consent, as required.
If you are an EU data subject and if your use of our Website, App or the Micro program is governed by the GDPR, subject to the local and legal and regulatory requirements of the United States, you have the right to:
1. Request access to your Personal Information.
2. Request correction of the Personal Information that we hold about you (though we may need to verify the accuracy of the new data you provide to us).
3. Request erasure of your Personal Information:
i. Where there is no good reason for us continuing to process it or where you have successfully exercised your right to object to processing (see below).
ii. Where we may have processed your information unlawfully or where we are required to erase your Personal Information to comply with local law.
Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which you will be notified of, if applicable, at the time of your request.
4. Object to processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
5. Request restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information in the following scenarios:
i. if you want us to establish the data’s accuracy;
ii. where our use of the data is unlawful but you do not want us to erase it;
iii. where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims; or
iv. you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
6. Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
7. Withdraw consent at any time where we are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent. You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
In order to exercise your rights under the GDPR, please contact us using the information provided in the Contact us section below. Please put the statement “GDPR Privacy Rights” in the subject line of your request and include your name, country or region, and enough information to allow us to respond to your request in the body of your email.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Information (or to exercise any of your other rights). This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within a reasonable time period, generally one month, depending on the complexity of the request.
For our users located in the European Union or the European Economic Area, if you feel that, after reaching out to us with your question or concerns, you have not received a satisfactory response, you have the option to contact your country’s Data Protection Authority (“DPA”) or similar regulatory body. To find contact information for your country’s DPA or similar body, please refer to the list provided on the website of the European Commission.
Mail: One Gateway Plaza, Los Angeles, CA 90012-2952
Phone: 323.GO.METRO (323.466.3876) TDD/TTY: Use the California Relay Service at 711 + 323.GO.METRO (323.466.3876)
If Metro needs to contact you, we will use any of the information you have provided to us.
Aggregate Data or information is statistical information that is a combination of Personal Information and/or other data that relates to a group or category of persons from which specific identifying information has been removed.
Anonymous Data is any data or information for which specific identifying information has been removed.
Non-Public Personal Information (“Financial Information,” related to financial transactions pursuant to the Gramm–Leach–Bliley Act) means any personally identifiable financial information resulting from any transaction with a consumer or any service performed for a consumer.
Personal Information means information about a natural person that identifies or describes an individual, including, but not limited to, their name, social security number, email address, physical description, home address, home telephone number, education, financial matters, travel pattern data, license plate number, photograph, bank account information, credit card number, and medical or employment history, readily identifiable to that specific individual. Personal Information also includes Non-Public Personal Information (“Financial Information,” related to financial transactions pursuant to the Gramm–Leach–Bliley Act), and Protected Health Information (“PHI,” related to medical and health information pursuant to the Health Insurance Portability and Accountability Act). Personal Information does not include Aggregate Data or Anonymous Data.
Protected Health Information (“PHI,” related to medical and health information pursuant to the Health Insurance Portability and Accountability Act) means individually identifiable health information, including demographic data, that relates to (i) a person’s past, present or future physical or mental health or condition, (ii) the provision of health care to a person, or (iii) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Service Providers means any third party vendors (such as companies that specialize in IT service management, mobile application development services, legal counsel, and credit card processing) and other entities contracted by Metro to provide support and assistance for the Micro program along with its general operations, financial operations, other operations, enforcement, management, and any other services it may offer.