IndyGo MyKey Privacy Policy

Definitions

The following definitions apply:

• Personal Identifying Information (PII): PII identifies or describes a person or can be directly linked to a specific individual. Examples of PII include, but are not limited to, a person’s name, birth date, mailing address, billing address, business name, alternate contact information (if given), telephone number, email address, fax number, MyKey Card serial number, credit or debit card number, security code and expiration date, and information related to a customer’s mobile device if a customer uses the MyKey Mobile Application.  IndyGo also considers data developed as a byproduct of a customer’s use of the IndyGo system (e.g., a user’s travel routes and times traveled) to be PII.
• Aggregate Data or Aggregate Information: Aggregate Data or Aggregate Information is statistical information that is derived from collective data that relates to a group or category of persons from which PII has been obtained or collected. Aggregate Data reflects the characteristics of a large group of anonymous people. Aggregate Data or Aggregate Information is not considered PII.

Collection of Personal Identifying Information (PII)

IndyGo collects personal identifying information from applications and other forms submitted by IndyGo customers to the IndyGo Customer Service Center by telephone, mail, in person, or by electronic submission through the IndyGo website or via the MyKey Mobile Application or MyKey Website.

Additionally, the MyKey Mobile Application may collect certain information automatically, including, but not limited to, the type of mobile device being used, a mobile device’s unique device ID, the IP address of a mobile device, the type of mobile operating system, the type of mobile Internet browsers used on the mobile device, and information about the way a customer uses the MyKey Mobile Application.

How IndyGo Uses Personal Identifying Information

IndyGo uses PII provided by customers in order to provide services through the IndyGo website and the MyKey Mobile Application, to effectively and efficiently process enrollments, manage accounts, respond to questions, send customer emails about MyKey program updates, improve the MyKey program, comply with applicable law, and otherwise communicate with IndyGo customers. PII collected as part of using the MyKey Account system is hosted but not used by third-party contractors, except insofar as that PII is used to process transactions and provide services to IndyGo.

PII is only utilized as described in this Privacy Policy. IndyGo or its third-party contractors will never ask you for your social security number.

Third Parties with Whom IndyGo May Share Personal Identifying Information

IndyGo may disclose PII to third party contractors for the purpose of operating and maintaining the MyKey system, such as managing customer accounts and collecting revenue. Any such third-party contractors are provided only with the PII they need to deliver the service being provided. IndyGo requires third-party contractors to maintain the confidentiality of the information and to use it only as necessary to carry out their duties under the MyKey program. If another party is added to the MyKey program, IndyGo will notify their customers via amendment to this Privacy Policy and on the IndyGo website.

IndyGo requires outside law enforcement and regulatory agencies to obtain a subpoena for MyKey records containing PII, including location data, unless otherwise required by law; IndyGo may also disclose PII if a law enforcement or regulatory agency articulates the existence of a bona fide emergency requiring immediate access to specific records. Additionally, IndyGo may disclose PII without request to appropriate law enforcement agencies should IndyGo find disclosure necessary to protect it or its customers’ rights, property or safety.

IndyGo may provide a MyKey customer’s PII to a third party as necessary to process any transaction using a MyKey Card that a customer may conduct with retail merchants other than IndyGo. As with any credit or debit card payment, if an IndyGo customer conducts a transaction with a retail merchant using the MyKey Mobile Application or any other MyKey program media, IndyGo needs to share some information (for example, the customer’s name and credit or debit card number) with the banks and other entities in the financial system that process credit or debit card transactions. IndyGo is not responsible for third party use of PII provided to retail merchants from which customers use the MyKey Mobile Application or any other MyKey program media to conduct transactions, regardless of whether the transaction was conducted in person or online by the IndyGo customer.

IndyGo may disclose PII to Special Program sponsors for specific purposes, as those sponsors and purposes are described elsewhere in this policy (see “Exceptions” section, below).

Besides these entities, PII will not be disclosed to any other third party without express customer consent, except as required to investigate and respond to consumer complaints or to comply with laws or legal processes served on IndyGo.

Retention of Personal Identifying Information

IndyGo will only store the PII of an IndyGo customer that is necessary to perform activities associated with that information such as billing, account settlement, route planning, or enforcement activities. For example, a customer’s billing address may be stored to process account billing; a customer’s ridership patterns may be stored to assist in route planning. IndyGo may also be required to store customer PII for a certain period of time as required by local, state, and federal laws as they related to record retention.

Credit or debit card information is stored by IndyGo or its third-party contractors to complete transactions and in accordance with card network rules.

Security of Personal Identifying Information

IndyGo is committed to the security of customer PII. IndyGo stores the PII provided by IndyGo customers on computer servers, with security measures reasonably designed to prevent unauthorized access.

Reasonable administrative, technical, and physical security measures are employed to secure PII. Third-party contractors with whom IndyGo shares PII are also required to employ reasonable measures to maintain the security and confidentiality of such information. Despite reasonable security measures IndyGo and its third-party contractors employ there is a risk that unauthorized third-parties may engage in illegal activity, such has hacking into IndyGo or third-party contractor systems, or by intercepting transmissions of PII over communication networks. IndyGo and its third-party contractors are not responsible for any data obtained in such an unauthorized manner.

IndyGo Customer Obligations and Legal Disclaimer

IndyGo customers are responsible for safeguarding personal mobile devices, usernames, passwords, personal identification numbers (PINs), and other authentication information that may be used to access a MyKey Account. IndyGo customers should not disclose authentication information or their social security number to any third party and should notify IndyGo of any unauthorized use of their usernames, passwords, or accounts. IndyGo cannot secure PII that is released by IndyGo customers to others or PII that customers request IndyGo release to others. IndyGo is the only entity that may authorize obtaining data from the MyKey program by a third party. IndyGo is not responsible for any data or PII obtained by a third party as a result of a MyKey Cardholder’s negligence or misuse of MyKey fare media, products, or equipment.  If a MyKey Cardholder’s fare media is lost, stolen, or damaged, IndyGo is not responsible for any data or PII that is obtained by a third party until the problem is reported to IndyGo as defined in the IndyGo Terms of Service.

Compliance with State and Federal Law

As a public municipal corporation organized under the laws of the State of Indiana, IndyGo is subject to the Indiana Access to Public Records Act requiring IndyGo to make available to the public, upon receipt of an APRA request, any written record that is considered public domain under state and federal law. A record containing information that falls under a statutory exemption to the APRA will be protected from disclosure. IndyGo is committed to ensuring the integrity of the information and systems it maintains and implements security measures designed to prevent the loss, misuse or alteration of any information contained in its system. IndyGo uses passcode protection on all accounts under its control and encryption is used to protect the financial data of its account holders.

Account Access and Controls

Registering a MyKey Account is in the customer’s discretion. Please see the IndyGo Terms of Service for information concerning the various benefits and protections associated with registering your MyKey Account. The information required to register an account or to obtain other convenience benefits provided by IndyGo may include PII such as name, mailing address(es), billing address, email address, telephone number, and, for certain convenience benefits, credit or debit card number, expiration date and MyKey Account security code.

Customers who have registered their MyKey Account can review and update information associated with a Personal Account at any time, and are also able to modify, add, or delete this information. Information associated with a Personal Account information can be reviewed and edited by that Personal Account as discussed below under “Updating Personal Account Information.” IndyGo customers can close their account at any time by contacting IndyGo Customer Service at (317) 635-3344.

Aggregate Data

IndyGo may also combine the PII provided by IndyGo customers in a non-identifiable format with other information to create Aggregate Data that may be disclosed to third parties. Aggregate Data is used by IndyGo for many purposes, such as to improve the MyKey program, for the marketing of MyKey, and for general planning purposes to monitor or improve transit service or enhance the transit experience. Aggregate Data does not contain any information that could be used to contact or identify individual IndyGo customers or their accounts. For example, IndyGo may inform third parties regarding the number of MyKey Accounts within a particular zip code. IndyGo prohibits third parties with whom Aggregated Data is shared from attempting to make the information personally identifiable.

Third Party Websites and Applications

The IndyGo website contains links to third party websites. These web links may be referenced within content or placed beside the names or logos of the other entities. IndyGo does not disclose PII to these third-party websites except as described in this Privacy Policy.

Personal Information of Children Under the Age of 13

IndyGo complies with the requirements of the Children’s Online Privacy Act (COPPA) and the FTC’s Rule interpreting COPPA (16 CFR § 512). The MyKey Mobile Application and MyKey Website are not directed to children, and IndyGo does not knowingly collect any personally identifiable information from children under the age of 13. Parents are encouraged to closely monitor internet use of their children. The PII of children will not be knowingly collected online by IndyGo.

Updating Personal Account Information

Customers can review and edit information associated with their Personal Account online at www.indygo.net, via the MyKey Mobile Application, or by calling IndyGo Customer Service at (317) 635-3344.

Complaints or problems regarding updating information associated with a Personal Account should be submitted via the IndyGo website or by contacting IndyGo Customer Service at (317) 635-3344. IndyGo Customer Service will either resolve the issue or forward the complaint to an appropriate IndyGo staff member for a response or resolution. IndyGo strives to answer all queries within 48 business hours, but it may not always be feasible to do so.

Changes to the IndyGo MyKey Privacy Policy

IndyGo reserves the right to modify the MyKey Privacy Policy at any time without notice.  When IndyGo revises the MyKey Privacy Policy, the “last updated” date at the bottom of the MyKey Privacy Policy will reflect the date of the most recent change. We encourage IndyGo customers to review the MyKey Privacy Policy periodically. Continued use of the MyKey program constitutes the customer’s agreement to the MyKey Privacy Policy and any updates.

Exceptions

IndyGo reserves the right to disclose potentially personal identifiable information to Special Program sponsors (defined below) whose program(s) and individual account holder(s) may be enrolled, for the purposes of reporting, invoicing, monitoring, improving sponsored ride programs, and related activities.

“Special Program sponsors” are those institutional participants of sponsored fare programs, including employer-sponsored programs, institutional programs, and other fare programs not generally available to the public.

E-mails Sent to IndyGo

The MyKey Privacy Policy does not apply to the content of emails transmitted directly to IndyGo. Please do not send PII in an email directly to IndyGo.  For more information on how IndyGo protects the content of email correspondence transmitted to and from IndyGo, please click here.

Contact Information

Questions or comments regarding the MyKey Privacy Policy may be directed to IndyGo Customer Service at (317) 635-3344.

Last Updated

This Privacy Policy was last updated July 12, 2019.