Privacy Policy and Personal Data Protection

Privacy Statement

Socibus S.L. and Secorbus S.A. companies (hereinafter "The Group"), in the course of their business activities, collect and process personal data from individuals with whom they maintain business relationships, including Customers, Passengers, Employees, Job Applicants, and Suppliers.

The Group respects your privacy, and for this reason, based on current legislation, has implemented a high level of data protection that complies with said legislation.

The Group is responsible for the processing of your personal data and, therefore, acts as its controller. You understand and accept that the Company, in its effort to offer you a high level of service, regularly works with certain trusted service providers who have access to and process your data under our mandate, which in no case constitutes a transfer of said data. These providers, acting as Data Processors, possess equivalent levels of protection to those of the Company. Principles for the processing of personal data that govern the company’s activity.

About the Socibus Mobile App - Travel by Bus

The mobile phone application called Socibus - Viaja en autobús, developed by our partner Sigma Data Services, is currently published on the Apple Store and Google Play Store, for free download by users.

This application is designed for users to purchase, cancel, and modify tickets, as well as other functions such as maintaining the user’s purchase history.

Steps users must follow to request the deletion of their accounts

For a user to delete their account, they must follow these steps:

Open the Socibus - Viaja en autobús app
Log in using your username and password
Tap the icon in the top left corner of the screen to access the app’s general menu
Tap the "Delete account" option; a window will appear for you to confirm the deletion of your account
Tap "Accept"
Your account will be deleted, along with all your data, within a period of 24 to 72 hours.

Information on the types of data that are deleted or retained, and additional retention periods, in the mobile app

Once your account has been deleted, all your data will also be deleted, except for the following data, which will be retained for a period of 6 years for legal reasons: purchases made by you in the app, including the identification data you entered at the time of purchase, name, surnames, ID number, email, and phone number

About the Group Companies

Please note that both companies are independent commercial entities, but due to the nature of their operations (regular road passenger transport under administrative concessions), they share resources such as buses, personnel, and IT systems for ticket sales and management. For this reason, this privacy and data protection policy is presented jointly, even though it applies individually to each of these companies.

Privacy Principles

What is personal data?

Personal data is any information (numerical, alphabetical, graphic, photographic, acoustic, or of any other type) that identifies or can identify a natural person.

Under this definition, the following principles for the Group’s personal data processing are declared.

1. Fairness and Legality

When processing personal data, the individual rights of the data subjects will be protected.

Personal data will be collected and processed legally, fairly, and transparently.

2. Specific Purpose Limitation

Personal data will only be processed for the purposes for which it was established before the data was collected. Subsequent changes to these purposes are possible only to a limited extent and will require justification and/or consent from the data subjects.

3. Transparency

Data subjects will be informed about how their data is processed. As a general rule, data will be collected directly from the individual concerned. When data is collected, the data subject will be informed of:

The identity of the data controller
The purpose of data processing
Third parties or categories of third parties to whom the data may be transmitted
Any other information concerning them

4. Data Minimization and Data Economy

Before processing personal data, it will be determined what data is necessary to achieve the purpose for which the collection is being made.

Personal data cannot be collected in advance and stored for potential future purposes.

5. Erasure

Personal data that is no longer needed (after the expiration of legal or commercial periods) will be deleted. In the case of historical interest, the conditions and needs for this purpose will be evaluated and justified.

6. Data Accuracy and Up-to-dateness

Stored personal data must be correct, complete, and, if necessary, updated. Necessary measures will be taken to ensure that inaccurate or incomplete data is deleted, corrected, supplemented, or updated.

7. Data Confidentiality and Security

Personal data is subject to confidentiality. It must be secured with appropriate organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification, or destruction.

8. Lawfulness

The collection, processing, and use of personal data are only permitted under the legal premises established by the company, in accordance with current regulations.

Data Recipients

The Company works with trusted providers to facilitate the collection and processing of Customer and Passenger data, mainly with the following types:

The other company in the group
Management and operations system provider
Accounting software provider
Email service provider
Financial administration provider
CRM (customer management) provider
Employment selection providers
Business and other consulting and auditing providers
Cloud storage tools providers
Banking and financial service providers
Insurance companies (for voluntary insurance management)
Commercial and business professional advisors
Video surveillance service providers
Technology service providers
Marketing service providers
WIFI and Internet service providers on our buses
Travel agencies (for Group ticket sales)

These providers always act under the Company’s mandate and as Data Processors, never as assignees of your data.

Your data will not be transferred to third parties, except for legal obligations or with your express consent.

Recipients in Third Countries

The Company processes and stores personal data in the EU, as well as in the United States, through technological service providers (e.g., Google). In all cases, the Group will take appropriate measures to ensure that your data remains protected by these providers according to the high standards required by EU regulations.

Retention Periods

To determine the retention period for the data in question, the Group follows the following criteria:

6 years for tax data, such as invoices and passenger tickets.
6 years for commercial data.
6 years for labor data, such as employee data
2 years for job applicant data, such as resumes
2 years, after the last contact, for contact data for marketing
3 months for user browsing data on the group’s websites and apps
1 month for video surveillance data
1 month for geolocation and driving data (via tachograph and other devices) of vehicles and their drivers

Your Rights

You have the right to request access to your data, rectification or deletion of your data, restriction of processing, to object to data processing, and to request data portability from the Group. You can exercise your rights by contacting our Data Protection Officer at fjurado@sigma-data.com.

If you believe that we have not adequately addressed your request, you may also file a complaint with the national data protection authority at https://www.aepd.es/es.

Contact Point

If you have any questions or wish to file a complaint regarding the collection and processing of your data, you can contact our Data Protection Officer at fjurado@sigma-data.com.

Information for Customers and Passengers

If you are a Customer (purchaser of any of our services) or a Passenger (user of any of our services), we inform you that we process your data as summarized below:

Data Controllers	Socibús S.A, Secorbús S.A. Estación Sur de Autobuses de Madrid, Calle de Méndez Álvaro, 83, 28045 Madrid
Categories of Data Subjects	Customers (buyers) Passengers (service users)
Purposes	Management of passenger transport service Management of ticket purchase and payment Sending your tickets by email and SMS Sending commercial communications by email and SMS Management of additional services, such as voluntary insurance Provision of WIFI and Internet service on board our buses Management of customer and passenger complaints and incidents Fraud and fraudulent claim management Technical incident management Passenger control on transport services
Lawful Basis	For the execution of a passenger transport contract, including the management of customer and passenger complaints and incidents For the consent granted by you to send commercial communications
Recipients	The Data Processors described above. Your data will not be transferred to third parties, except for legal imperative or express consent.
Rights	You can access, rectify, delete, restrict, and object to the processing, as well as request data portability.
Origin	If you are a buyer, the data is provided by you when purchasing your tickets If you are a passenger, the data is provided by the buyer who purchases the tickets, who declares to have informed you of your rights
Use of cookies	We use our own and third-party cookies to improve the quality of browsing on this website. If you continue browsing our sites, we consider that you accept their use. If you do not wish to accept their use, please do not use this website or configure your browser to avoid the use of cookies. Read below how to do it.

Categories of personal data processed by the Group

We collect personal data directly from customers who purchase their tickets through online channels and personal data from passengers directly from them (if they are customers) or from customers, who at the time of purchase, may register data of other passengers. If this latter case applies to you, we understand that your data has been legitimately supplied by the customer.

Specifically, the Group collects and processes customer and passenger data from the following categories:

Personal data, such as name, surnames, and ID number,
Contact personal data, such as mobile phone number and email address,
Technical data of the device from which the purchase is made, such as operating system and device type
Location data of the device from which the purchase is made, such as IP address, city, and country
Data from the communication channel through which tickets are sent (SMS and email), such as date-time of sending, opening, and clicking.
Data of the service purchased, such as ticket price, origin, destination, service date, seat, bicycle transport, pets, etc.
Data of additional services, such as voluntary transport insurance
Data from operations carried out by registered or unregistered users related to ticket management, such as cancellations, refunds, and return ticket closures; this data is retained for the purpose of managing claims and incidents, as well as for fraud management, fraudulent claims, and technical incident resolution.

Commitment to inform third parties

In the event that you, as a passenger and/or customer, provide third-party data in our systems (e.g., personal data of other passengers traveling with you), you undertake to inform said passengers of the implicit acceptance of this Privacy and Data Protection Policy, that the Terms and Conditions of sale have been accepted, and that they should consult the Privacy Policy at this link. By providing third-party data, you commit on their behalf to its veracity.

Payment Methods

At the time of purchasing your tickets, we do not store payment method data (credit card or other methods). The customer is redirected to an external payment gateway (Virtual POS) of a payment service provider, who acts as a Data Processor. For any matter related to the data protection of your payment method, please contact the provider in question.

Purposes and Legal Bases

The Group collects and processes the described data for multiple purposes, as described in the following table.

Purpose	One of the following legal bases
Management of passenger transport service Management of ticket payment Management of claims and incidents, as well as fraud and fraudulent claim management Passenger control on transport services	Execution of a purchase and sale contract For compliance with legal obligations For the legitimate interest of the company in managing fraud and resolving incidents For the legitimate interest of the company in allowing access to buses only to authorized passengers
Sending your tickets by email and SMS Sending commercial communications by email and SMS	Express consent granted by you
Invoicing, Accounting, Treasury, Taxes, Reporting, statistics, and financial and management reports	Legitimate interest of the Company to carry out its business activity Necessary to comply with legal requirements Necessary for the execution of a contract
Voluntary insurance data	Necessary to comply with legal requirements Necessary for the execution of a contract

Information for Employees and Collaborators

If you are an Employee or Collaborator (e.g., a contracted bus driver), we inform you that we process your data as summarized below:

Data Controllers	Socibús S.A, Secorbús S.A. Other companies held by them Estación Sur de Autobuses de Madrid, Calle de Méndez Álvaro, 83, 28045 Madrid
Categories of Data Subjects	Employees / Collaborators
Purposes	Contract management Human resources management Occupational Risk Prevention Work organization and optimization Prevention of theft and vandalism on company buses
Lawful Basis	For the execution of an employment contract To comply with legal requirements (e.g., tachograph data) For work organization
Recipients	In addition to the Data Processors described above, your data may be transferred to other group companies for internal administrative purposes Your data will not be transferred to third parties, except for legal imperative or express consent.
Rights	You can access, rectify, delete, restrict, and object to the processing, as well as request data portability. Some of these rights may be limited by labor regulations
Origin	Provided directly by the data subject and collected during work activity

Categories of personal data processed by the Group

The Group collects and processes employee/collaborator data from the following categories:

Personal data, such as name, surnames, ID number, and a copy of the ID
Personal and/or family contact data, such as mobile phone number and email address,
Social Security affiliation data
Family status data for tax withholding calculation
Other data collected during the employee’s normal work activity, such as working hours, attendance records, vacation, leave, etc.
Bus geolocation data and driver driving data, collected through navigation devices, tachographs, on-board systems, etc.
Video surveillance images

Purposes and Lawful Bases

The Group collects and processes the described data for multiple purposes, as described in the following table.

Purpose	One of the following legal bases
Management of employment contracts Human resources management Occupational Risk Prevention Work organization	Execution of an employment contract For compliance with legal obligations Legitimate interest of the group for work optimization
HR Management, Accounting, Treasury, Taxes, Reporting, statistics, and financial and management reports	Legitimate interest of the group to carry out its business activity Necessary to comply with legal requirements Necessary for the execution of a contract
Prevention of theft and vandalism on buses	Legitimate interest of the group to protect its assets and resources

Information for Job Applicants

If you are a Job Applicant, we inform you that we process your data as summarized below:

Data Controllers	Socibús S.A, Secorbús S.A. Estación Sur de Autobuses de Madrid, Calle de Méndez Álvaro, 83, 28045 Madrid
Categories of Data Subjects	Job Applicants
Purposes	Selection of job applicants
Lawful Basis	Legitimate interest of the Group Consent provided by the data subject, for certain data (social media profile, etc.)
Recipients	In addition to the Data Processors described above, your data may be transferred to other group companies for personnel selection purposes Your data will not be transferred to third parties, except for legal imperative or express consent.
Rights	You can access, rectify, delete, restrict, and object to the processing, as well as request data portability.
Origin	Provided directly by the data subject Public data obtained from social networks and media

Categories of personal data processed by the Group

The Group collects and processes employee data from the following categories:

Personal data, such as name, surnames, ID number, and a copy of the ID
Personal and/or family contact data, such as mobile phone number and email address,
Professional and personal history data provided in your Curriculum Vitae
Data collected from public profiles on social networks and media

Information for Suppliers, Travel Agencies, and Business Contacts

If you are a Supplier, Travel Agency, or Business Contact (any person interested in doing business with one of our companies), we inform you that we process your data as summarized below:

Data Controllers	Socibús S.A, Secorbús S.A. Estación Sur de Autobuses de Madrid, Calle de Méndez Álvaro, 83, 28045 Madrid
Categories of Data Subjects	Suppliers Travel Agencies Business Contacts
Purposes	Management of supply and service provision contracts Ticket sales by Agency
Lawful Basis	For the execution of a contract For the legitimate interest of the Group in having trusted suppliers For your consent when contacting us and requesting a quote or any other type of commercial information
Recipients	In addition to the Data Processors described above, your data may be transferred to group companies for internal administrative purposes Your data will not be transferred to third parties, except for legal imperative or express consent.
Rights	You can access, rectify, delete, restrict, and object to the processing, as well as request data portability. Some of these rights may be limited by commercial regulations
Origin	The data subject themselves Publicly accessible sources such as Registries Business and company directories Default and risk databases
Use of Cookies (Agencies only)	We use our own and third-party cookies to improve the quality of browsing on this website. If you continue browsing this site, we consider that you accept their use. If you do not wish to accept their use, please do not use this website or configure your browser to avoid the use of cookies. Read below how to do it.

Categories of personal data processed by the Group

The Group receives personal data directly from Suppliers, Travel Agencies, and Business Contacts through online channels and directly from them.

Specifically, the Group collects and processes data from the following categories:

Personal data, such as name, surnames, and ID number,
Professional data such as company and position
Contact professional data, such as mobile phone number and email address,
Data that you supply when requesting a quote or other type of information, such as number of seats required, route, type of bus, etc.
Data obtained from public sources, directories, and default/risk databases
Agencies: when an agency purchases services through the website, the same data described in the Customers and Passengers section is collected.

Cookie Policy

For this site to allow you a satisfactory shopping experience, we install small data files, known as cookies, on users’ devices.

What are cookies?

A cookie is a small text file that websites install on your computer or mobile device when you visit our website. Cookies enable the website to remember user actions and preferences (login identifier, language, font size, shopping cart contents), so you don’t have to re-enter or reconfigure them when you return to the site or browse its pages.

Although cookies are not essential for the website to function, if you enable them, you will enjoy a better browsing experience. If you have cookies disabled, for example, you will receive constant messages about the Privacy Policy and similar items, or for instance, when logging in, the system will not recognize you as a registered user. However, you can delete or block cookies at your discretion.

The information associated with cookies is not used to personally identify the user, although we associate some cookie data with purchases made by registered and unregistered users. On the other hand, we maintain full control over data about your browsing patterns. These cookies are used exclusively for the purposes indicated here.

How and Which Cookies Do We Use?

We use the following first-party and third-party cookies:

Login cookies, to remember you as a registered user
To remember your website usage preferences, for example, whether you have consented to our use of cookies on our website.
Google Recaptcha cookies, to ensure the page is not used by robots.
Google Analytics cookies, the service that performs website usage analysis.
Webloyalty cookies: specifically, we will collect the terminal type (mobile or desktop), the operating system (iOS or Android), the browser name and version, the timestamp (date and time) when the banner is displayed, the referring URL, and the hashed IP address, meaning it is encrypted under the SHA-256 algorithm.

How to Manage Cookies

You can delete or disable your browser’s cookies at any time.

To learn how to do this, consult aboutcookies.org. In addition to being able to delete all cookies already on your computer, you can also configure your browser to stop accepting them, but please keep in mind that you may have to manually reconfigure your preferences each time you visit a site, and certain services and functionalities may cease to work.

Information updated on April 21, 2021.

Responsables del tratamiento	Socibús S.A Secorbús S.A.
Finalidades	La gestión del servicio de transporte adquirido por Ud. La gestión del cobro de billetes El envío de sus billetes por e-mail y SMS El envío de comunicaciones comerciales por e-mail y SMS La gestión de reclamaciones, gestión del fraude e incidencias técnicas
Legitimación	Por la adquisición de billetes de transporte por Ud, lo que constituye un contrato de prestación de servicios Por el consentimiento otorgado por Ud. para realizar comunicaciones comerciales
Destinatarios	Lea el texto completo, donde se indican todos los destinatarios No se cederán sus datos a terceros, salvo imperativo legal
Derechos	Ud. puede acceder, rectificar, suprimir y oponerse al tratamiento, así como solicitar la portabilidad de los mismos
Procedencia	Si Ud. es comprador, los datos son aportados por Ud.al adquirir sus billetes Si Ud. es pasajero, los datos son aportados por el comprador que adquiere los billetes
Información completa	Puede acceder al texto completo sobre Protección de Datos en nuestra página web pulsando aquí.
Uso de cookies	Utilizamos cookies propias y de terceros para prestar nuestros servicios en esta web. Si continua navegando, consideramos que acepta su uso. Si no desea aceptar su uso, por favor no utilice esta página web o bloquéelos. Texto completo sobre cookies aquí.