This privacy notice (v3.3) was last updated, with any changes from the previous version coming into effect, on the 17th September 2021.
We are Smidsy Ltd (otherwise known as Beryl). This privacy notice sets out how we, and our partners in other schemes within the Beryl Network, work to protect your data and respect your privacy.
We encourage and recommend that you read this privacy notice in full. We also understand that people have busy lives however, and so wanted to help you by providing a brief overview of how and why we process your personal data.
In general, we and our partners will only collect the personal data that we need so we can provide you with the full range of our services. For example, in order to hire one of our bicycles we will need your name and payment information. We will also need to monitor when you collect and drop-off a vehicle and the location of the vehicle.
Ultimately, we aim to only process your personal data where it is necessary and we will always keep your personal data secure. Your enjoyment of our services is our primary concern.
If you have any questions regarding this privacy notice or our privacy practices, please contact us by email via firstname.lastname@example.org or by writing to Beryl, The Green House, 244-254 Cambridge Heath Road, London, E2 9DA. Alternatively, you can call us at 0203 3003 5044.
2. Our role in your privacy
Beryl is a micro-mobility company, operating shared bike and scooter schemes across the UK, as well as providing the technology used in other shared schemes within the Beryl network. Beryl is the trading name of SMIDSY Limited (no. 07831245). Our registered address is Beryl, The Green House, 244-254 Cambridge Heath Road, London, E2 9DA.
As a customer of Beryl, or even just a visitor to our website or app, we act as the controller of your personal data. This means that we are responsible for determining the purpose for which your personal data is used, as well as being responsible for keeping it secure. As a controller we have registered with the Information Commissioner's Office in the UK and our registration number is ZA029650.
3. The role of our partners
Some schemes within the Beryl Network are either solely or jointly operated by our partners. In each case our partners will also play a role in your privacy, and the details of this notice describe your relationship with each partner in addition to Beryl.
West Midlands Combined Authority
As a user of West Midlands Cycle Hire, a bike sharing service provided by Transport for West Midlands (TfWM), your data is jointly controlled by Beryl and West Midlands Combined Authority (WMCA). TfWM is an executive body of the West Midlands Combined Authority (WMCA), set up to improve the regions transport infrastructure and create a fully integrated, safe and secure network.
Although WMCA and Beryl are separate legal entities and remain individually responsible for meeting our data protection obligations, we work closely to protect your data and respect your privacy.
If you have any questions, wish to make a request or to raise any concerns to WMCA, you can contact them at:
Telephone: 0121 200 2787 (Switchboard), 0345 303 6760 (Contact centre)
Address: Data Protection Officer, 16 Summer Lane, Birmingham, B19 3SD
4. When and how we collect your data
From the moment you interact with Beryl or our partners, we are collecting data. This privacy notice is designed to help you understand when this happens and whether it’s data that you are giving us, or data about you that we are collecting automatically.
We collect and process various categories of personal data at the start of, and for the duration of your relationship with us. We recognise that your personal data is important to you and so we will limit the collection and processing of information to only what is necessary to achieve one or more legitimate purposes as identified in this privacy notice.
5. The type of data we collect
The following provides details on the different types of data we may collect. We collect data for various purposes, as described later, and so we may not collect everything listed below for you. You may on occasion voluntarily provide us with data beyond anything listed below, in which case we may additionally store this.
📇 Contact details
Your name, address, telephone number, and email address.
💳 Financial information
Your card number, payment details and a unique customer identifier provided to us by our payment processor.
👤 Data that identifies you
Your IP address, browser type and version, mobile device manufacturer and model, time zone setting, operating system and version.
📱 Data on how you use our digital services
Your app and website clickstreams (how you navigate through our app and website), the pages viewed, any errors encountered, how frequently you engage with our app and website, actions you take within our app and website and how often.
🚲 Data from your use of our vehicles
Events related to the hire (or attempted hire) of our vehicles, the route taken when hiring a vehicle, start and drop-off locations (which probably corresponds to your location at these times).
🔐 What about really sensitive data?
We don’t collect any "sensitive data" about you (like racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data etc). We may occasionally conduct optional surveys that are designed to better understand our customers; each time we do this we will provide you with full details on how we collect, store and process any data collected. As a rule of thumb we don’t link any sensitive data back to individual users.
6. How and why we use your data
Data protection law means that we can only use your data for certain reasons and where we have a legal basis to do so. We will always use your data in line with our responsibilities, and where reasonable, your wishes.
The following is a list of reasons why we, and in some cases our partners, process your data:
- Purpose: To set-up, administer and manage your account with us | Lawful Basis: Necessary for the performance of a contract.
- Purpose: To take payment from you | Lawful Basis: Necessary for the performance of a contract.
- Purpose: To track the location of our bikes and scooters via GPS within the vehicle | Lawful Basis: Legitimate interests so that we can learn more about cycle routes and where our bikes are.
- Purpose: To send you emails regarding news and events which may be of interest to you, including product launches, urban cycling and price promotions | Lawful Basis: Consent.
- Purpose: To seek your views on our products through a survey | Lawful Basis: Consent.
- Purpose: We may also use your email to deliver personalised advertising messages to you [and others like you] via the social media platforms that you use | Lawful Basis: Legitimate interests so that we can advertise our new products and services.
- Purpose: To respond to communications | Lawful Basis: Consent.
- Purpose: To prepare and analyse statistics relating to the use of our site, app and services by you and other customers | Lawful Basis: Legitimate interests so that we can ensure our services, site and app is as enjoyable as possible.
- Purpose: To conduct market research | Lawful Basis: Legitimate interests so that we can better understand the services that our customers most enjoy.
- Purpose: To send you service messages and updates about our app, site and services | Lawful Basis: Necessary for the performance of a contract.
- Purpose: To administer and protect our business and this App including troubleshooting, data analysis and system testing | Lawful Basis: Legitimate interests for running our business, provision of administration and IT services, network security.
- Purpose: To record and analyse customer communications for training purposes | Lawful Basis: Legitimate interests to improve our customer service.
- Purpose: To consider any job applications we may receive | Lawful Basis: Consent.
- Purpose: Those that are necessary for the operation of the site, including allowing you to interact with our site and to recall selections as you move between pages | Lawful Basis: Necessary for the performance of the contract.
- Purpose: Those that analyse your use of our site, monitor our web audience and populate certain content on our site in line with your usage | Lawful Basis: Legitimate interest so we can continue to analyse and improve our site and app.
- Purpose: Those that are used for third party marketing | Lawful Basis: Consent.
Here’s what each of these “legal bases” mean:
You have given us clear consent to process your personal data for a specific purpose. If we are processing data with your consent, we will ensure you are clearly informed of this.
Remember, you can change your mind! If you have previously given consent to us, or our partners, to process your data then you can freely withdraw such consent at any time. You can do this by contacting customer support. If you do withdraw consent and we do not have another legal basis for processing your data, then we will stop processing your personal data. If we do have another legal basis for processing your information, then we may continue to do so subject to your legal rights.
Processing your data is necessary in order to enter into a contract with you and our partners for the provision of a service or to perform our obligations under that contract.
We may process your data where it is in our, or our partners, legitimate interests to do so, and without prejudicing your interests or fundamental rights and freedoms. In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests.
Processing your data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us or our partners.
7. Your privacy choices and rights
You have the following choices and rights in relation to your personal data. For any queries or to exercise these rights please contact our support team. To ensure the security of your personal data we may ask you for valid proof of identity and once we’ve received it, we will provide our response within one month. If your request is unusually complex and likely to take longer than a month, we will let you know as soon as we can and tell you how long we think it will take. If we deem your request to be manifestly unfounded or excessive we may require an administration charge or may refuse the request altogether.
🚫 You can choose not to provide us with personal data
If you choose to do this, you can continue to use our website and app but we may not be able to provide you with a full service (for example, you may not be able to hire a vehicle).
🍪 You can turn off cookies in your browser by changing its settings
📩 You can ask us not to use your data for marketing
When you first register you are given the choice to opt-in to marketing communications. We try to limit how often we send marketing messages but you can opt out from at any time by contacting support or by replying to any marketing message you receive from us. Doing so will not affect your ability to continue using the service.
You can exercise your rights at any time by contacting our support team. Please note that the below rights are not absolute and there may be circumstances where we are unable to comply with your request (whether in whole or in part). Also note that in choosing to exercise your rights we may have to suspend the services we provide to you (for example, in choosing to restrict or erase your data).
🔑 You have the right to access information we hold about you
You are entitled to confirmation that we process your personal data and a copy of such personal data. We will provide you with the information within one month of your request, unless doing so would adversely affect the rights and freedoms of others.
✏️ You have the right to make us correct any inaccurate personal data about you
If you believe the personal data we hold on you is incorrect, you have the right for this to be rectified. You may also update your personal data through your account settings.
👋 You have the right to be ‘forgotten’ by us
You can request us to erase your personal data where there is no compelling reason for us to continue processing it.
⛔ You have the right to object to the processing of your personal data
You have a right to object to us processing your personal data (and to request us to restrict processing) unless we can demonstrate compelling and legitimate grounds for the processing, or where we need to process your information to investigate and protect us or others from legal claims.
💻 You can object to us using your data for profiling or automated decision making
Under data protection legislation we have to let you know when we use your personal data to do something 'automatically', or make an automated decision (without human intervention) that significantly affects you.
We may use your data to tailor any marketing communications to ensure you only receive information that we think is relevant to you. We may also use journey history and travel patterns to improve the services we provide. This processing will normally be done in an anonymised manner to ensure you cannot be identified.
🔁 You have a right to withdraw your consent
Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
📤 You have a right to data portability
Where we have requested your permission to process your personal data or you have provided us with data for the purposes of entering into a contract with us, you have a right to receive the data you provided to us in a portable format (such as CSV or JSON).
😕 You have the right to lodge a complaint regarding our use of your data
Should you have any concerns on our use of your data then please contact our support team first, so that we have a chance to investigate and address your concerns.
8. How we secure your data
We have a range of measures in place to keep your data as secure as possible. When selecting third-party systems and providers, we are careful to choose only those with excellent reputations for security management.
We have put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator when we are legally required to do so.
All data you provide to us is stored on our secure servers, and sent to us using 128 bit encryption on Secured Sockets Layered technology. Payment transactions will be carried out by our chosen third-party providers meaning that at no point does Beryl handle your card details.
And please remember:
- You are responsible for keeping any details used to access Beryl confidential; for example, any passwords or access to email accounts used to authenticate your account.
- If you believe, for any reason, that your privacy has been breached you should contact us immediately on email@example.com.
9. Where we store your data
The Beryl servers are located in the UK. We use processors based in the UK, EU and United States. Where data is processed outside the UK or EU, contractual arrangements are in place with these processors that ensure the adequacy of data protection is in line with that required by the UK and EU.
10. For how long we store your data
We will retain your data for the period necessary for us to provide you with our services and to comply with our legal obligations. If you choose to delete your account, we will archive and stop actively using any personal data. We will delete your personal data from our archives no later than 6 years from your account closure. When we delete personal data, we will do so in a secure way.
11. When and why we may disclose your data
Any data will only be shared where it is necessary and permitted under the Data Protection Act. Any data shared will be proportionate and limited only to what is necessary. We will never sell or rent your personal data to third-parties. We will not share your personal data with third-parties for marketing purposes.
Data sharing with our service providers and partners
When required for the service we are providing you, as described in the section on third-parties who process your data.
Data sharing with government, regulatory and law enforcement
We may share your personal data in order to assist with investigations, to defend our legal rights or property, or to enforce our contracts, but only if we believe in good faith that it is reasonably necessary to do so for legal reasons.
Data sharing with the Department for Transport (UK)
As part of our licence to operate e-scooters in the UK we are required to share data, including some personal data, with the Department for Transport (DfT). This data only relates to your usage of Beryl Scooters; as such if you have not used a Beryl Scooter then your data will not be shared with the DfT.
Data is shared securely with the DfT for the purpose of helping the DfT to understand more about the usage of e-scooters, the impact they have and how they can be promoted as a safe and sustainable transport option. This data will ultimately enable the DfT to make an informed decision about the future use of e-scooters in the UK. Data may be onward shared by the DfT with their third-party research contractors for the purpose of e-scooter trials. You can find out more by reading the DfT’s privacy statement for e-scooter trials.
Data that is shared with the DfT includes:
- User Data: A Beryl user identifier, email address and phone number. These are only used for the purpose of contacting you for research.
- Journey Data: Journey data that is linked to your user, including the rough time of day, duration, distance traveled and approximate location. Specific route data is shared but is not linked to your user account.
- Survey Data: Your voluntary responses to the end of journey surveys (if any).
12. Third parties who process your data
As is common for services like ours, we use a variety of third-parties to help us host and run our application, communicate with customers, process payments etc. We choose to work with third-parties who we believe are the best at what they do.
We ensure that third-party access is always limited to exactly what is necessary. We always ensure that we have contractual agreements with third-parties requiring them to keep your data secure and to never use it for purposes other than as directed by us.
In the case of payments and document verification (e.g. driving licences), we may collect some data about you from third-parties who provide these services (such as Stripe, Onfido and Persona). This enables us to verify any payment methods or documents without having to collect and store details of them ourselves.
Here are the details of our third-party service providers, and what data they collect or we share with them, where they store the data and why they need it:
Marketing, communications and support
Payments and identity
Cookies are small files of information which are stored on your computer. We may use them to store your password so that you don't have to keep filling in a registration form every time you want to log in. We may also use them to study things such as the places on our site that you visit, which parts of our site you like best, where you have come from and who your internet service provider is.
You can delete cookies via your browser settings and can learn more about cookies and how to delete them here.
14. How we update this privacy notice
This privacy notice was last updated on the date set out at the start of the document, including a version number should you wish to reference it. From time-to-time we may make amendments to this notice and when we do we will update the date and version number. If we make any material changes to this notice we will contact you directly about such changes.