ALERT: Convention Center Station Closed for Several Months Starting Monday, January 6 Read More!
x

Effective date:  April 25, 2024

Overview

Metro Transit, a Bi‐State Development enterprise, is committed to ensuring the privacy and security for all its authorized customers age 13 and older. Specifically:

  1. Metro Transit will not provide personally identifiable information (PII) from RideOn! Pass™ accounts to any third party without express customer consent, except as described in the Privacy Policy;
  2. RideOn! Pass™ account PII will never be provided to advertisers for their use; and
  3. Metro Transit will maintain a secure environment for RideOn! Pass customer personal information.

This Privacy Policy is intended to provide an understanding of how Metro Transit handles PII collected by the RideOn! Pass Fare Collection System (RFCS). Among other things, this policy explains the types of information collected from RideOn! Pass customers; the third parties with whom Metro Transit may share this information; and the process by which RideOn! Pass customers are notified about material changes to this Policy.

Metro Transit is the primary operator of the RideOn! Pass Customer Care Center. The RideOn! Pass Terms and Conditions notify customers that by enrolling in the RFCS and using the system, the customer is allowing Metro Transit and other third parties referenced herein, to process personal information according to the provisions set forth in the RideOn! Pass Cardholder License Agreement and this Privacy Policy.

Definitions

Personally Identifiable Information (PII): PII identifies or describes a person or can be directly linked to a specific individual. Examples of PII include, but are not limited to, a person’s name, mailing address, business name, alternate contact information (if given), email address, and telephone number.

Aggregate/Demographic Data or Aggregate/Demographic Information: Aggregate/Demographic Data or Aggregate/Demographic Information is statistical information that is derived from collective data that relates to a group or category of persons without any specific associations or linkages to PII. This Data reflects the characteristics of large groups of anonymous people.

Who is affected

All Metro Transit customers registered within the RFCS.

The Information We Collect

Metro Transit primarily obtains information about you from the information that you provide us (self‐reported) when you register a RideOn! Pass.

Metro Transit may obtain information about you from various other sources, if necessary for the purposes of providing you related services, in our role as processor of RideOn! Pass transactions. We also may have a direct relationship with you, and you may choose to provide personal information to us in connection with that relationship.

As a processor of RideOn! Pass account transactions and provider of related services, we may obtain personal information about you from financial institutions and other entities in connection with your RideOn! Pass account transactions.

In addition, you may choose to submit information directly to us. You may do so, for example, on our websites, in connection with a RideOn! Pass product or service, or when you participate in an offer or promotion. The types of personal information we may obtain are:

  • Contact information (such as name, postal or email address, and phone):
  • Username and password related to RideOn! Pass sites and applications;
  • Content you provide (such as photographs, articles, and comments);
  • Mobile device unique identifier;
  • Social Media identifier (such as Facebook ID);
  • Geolocation data; and
  • Other PII (such as shopping behavior and preferences, language preference, age, date of birth, gender, and family status)

Collection of Personally Identifiable Information (PII)

A RideOn! Pass may either be registered or unregistered. Metro Transit, through its RideOn! Pass™ Center, collects personal information in order to register a RideOn! Pass within the RFCS. Examples of personal information include a RideOn! Pass cardholder’s name, address, telephone number, date of birth, email address, or other information that personally identifies a RideOn! Pass cardholder. Metro Transit obtains this personal information from applications and other forms submitted by RideOn! Pass cardholders to the Customer Care Center, MetroStore, or the ADA Transit Access Center by telephone, mail, fax transmission, or by electronic submission through Metro websites. Data developed as a byproduct of the use of the RFCS (e.g., a registered user’s travel routes and times traveled) is also considered personal information if a card is registered.

How We Use PII

Metro Transit uses the PII provided in order to effectively and efficiently process enrollments, manage accounts, manage cards and purchases, respond to questions, send customer emails about RideOn! Pass updates, provide information regarding significant changes to this Privacy Policy, and otherwise communicate with RideOn! Pass customers. PII is only utilized as described in this Privacy Policy.

Third Parties with Whom We May Share PII

Metro Transit may share PII with the Madison County Illinois Transit (MCT) and the St. Clair County Illinois Transit District (SCCTD) (collectively referred to herein as RideOn! Pass Service Providers) for the purpose of operating and managing the RideOn! Pass. In addition, Metro Transit and the RideOn! Pass Service Providers may disclose personal information to third‐party service providers for the purpose of operating and maintaining the RFCS, such as managing customer accounts and revenue collection.

On our websites, you may choose to use certain features for which we partner with other entities. These features, which include social networking and geographic location tools, are operated by third parties that are not affiliated with the RideOn! Pass. These third parties may use personal information in accordance with their own privacy policies. For those Metro Transit websites on which these features are offered, the relevant third parties are identified. We strongly suggest you review the third parties’ privacy policies if you use the relevant features.

We also may disclose information about you (i) if we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.

Besides these situations, PII will not be disclosed to any other third party without express customer consent, except as required to comply with laws or legal processes served on Metro Transit. Metro Transit will not sell, lease, give access to, or loan PII of RideOn! Pass users, their financial records, or their travel histories to any third party for any purpose. Metro Transit or its regional transportation partners may offer RideOn! Pass users the opportunity to “opt‐in” to receive various informational direct mail and email communications from Metro Transit and its regional transportation partners regarding service changes, special promotions, news updates and other information.

Retention of RideOn! Pass PII

Metro Transit shall only store a RideOn! Pass customer’s PII that is necessary to perform account functions such as billing, card, account support, account settlement, or enforcement activities. All PII shall be discarded no later than three years (based on research of retention schedule‐related laws, regulations, and published retention schedules) after the account is closed or terminated.

Security of RideOn! Pass PII

Metro Transit is committed to the security of customer PII. We store the PII provided by RideOn! Pass customers on computer servers that are located in secure, controlled facilities. Servers are designed with software, hardware, and physical security measures in place to prevent unauthorized access.

Access to PII is controlled through appropriate administrative, technical, and physical safeguards designed to protect the personal information you provide against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use. We use Secure Sockets Layer (SSL) encryption on a number of our websites from which we transfer certain personal information. By contract, third parties with whom Metro Transit shares PII are also required to implement adequate security measures to maintain the confidentiality of such information.

Security Safeguards – RideOn! Pass Customer

In addition to Metro Transit’s policies and procedures implementing PII security (see below), the RideOn! Pass customer must safeguard passwords, PINs, and other authentication information that may be used to access a RideOn! Pass account. RideOn! Pass customers should not disclose authentication information to any third party and should notify Metro Transit of any unauthorized use of their passwords.

Security Safeguards – Administrative

Access to PII is limited only to certain operations and technical employees for limited, approved purposes based on their specific work responsibilities. Privacy and security training is required for Metro Transit employees with access to PII, upon hire. In addition, regular periodic refresher training is required for those employees.

Security Safeguards – Technical

RideOn! Pass network perimeters are protected with firewalls. Electronic storage of PII is not encrypted. However, electronic connections to and from the RideOn! Pass website are encrypted.

Security Safeguards – Physical

Physical access to Metro Transit servers is restricted to authorized technical personnel. Data center access to approved technical personnel is restricted via pass code authentication, and other security protocols.

Metro Transit cannot secure PII that is released by a RideOn! Pass customer or PII that a customer requests Metro Transit to release. In addition, there is a risk that unauthorized third parties may engage in illegal activity such as hacking into Metro Transit’s security system or by intercepting transmissions of personal information over the Internet. Metro Transit is not responsible for any data obtained in an unauthorized manner from previous instances of customer‐authorized and released data. Metro Transit is the only entity that may authorize obtaining data from the RFCS.

The Customer Care Center, MetroStore, or ADA Transit Access Center will ask RideOn! Pass customers to verify their identity by providing information that matches the information in the system associated with their account.

Verification questions will be limited to name, address, date of birth, and telephone number, and it shall be limited to customer‐initiated contact or inquiry. Customers may choose to provide financially sensitive information to make a purchase or to inquire about payment processing. Under NO circumstance will customers be requested to provide financially sensitive information for identity verification.

Identity verification is performed solely for protecting customer accounts from unauthorized access to PII and derived PII (such as transaction history), as well as to protect customer RideOn! Pass from unauthorized blocking.

A customer who is unable to match the verification questions with the information in the system shall not be given access to account information.

Metro Transit will never contact customers and initiate any discussion that requires customers to reveal identity or financial information. If a customer ever has any doubt about the authenticity of an email regarding RideOn! Pass, the customer is strongly encouraged to notify the Customer Care Center as soon as possible, either by:

  • Calling in Missouri: 314.982.1500;
  • Calling in Illinois: 618.274.1500; or
  • Contacting the Bi‐State Development’s Director of Corporate Compliance and Ethics at 314.923.3097

RideOn! Pass PII Data Breach Notification

If a breach of any RideOn! Pass customer’s PII has been discovered, those affected, or potentially affected customers will be notified as soon as possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the RideOn! Pass data system.

RideOn! Pass™ Account Access and Controls

Registering a RideOn! Pass is at the customer’s discretion. The required account information consists of PII such as name, date of birth, mailing address(es), email address, and telephone number. Metro Transit may request other optional information, such as alternate contact information, but, in such instances, we will clearly indicate that such information is optional.

Customers can review and update personal account information at any time by calling the Customer Care Center.

RideOn! Pass customers can unregister their account at any time by submitting a completed RideOn! Pass Account De-registration form (available at MetroStLouis.org/RideOn). All account information will be deleted no later than three years after the account is unregistered.

Children’s Privacy

Metro Transit does not knowingly solicit or collect personal information from children through the Customer Care Center or otherwise through the online or hardcopy order or registration forms available in the MetroStore or on the website. If at any time Metro Transit learns that a child under the age of 13 has submitted personal information without a signed registration form by at least one of their parents or guardians, Metro Transit will take all reasonable measures necessary to remove such information from its databases and not use such information for any purpose except where necessary to protect the safety of the child or others or as required by law.

Aggregate Data

Metro Transit may also combine the PII provided by RideOn! Pass customers in a non‐identifiable format with other information to create Aggregate Data that may be disclosed to third parties. Aggregate Data is used by Metro Transit to improve the RideOn! Pass and for the marketing of transit service and planning purposes. Aggregate Data does not contain any information that could be used to contact or identify individual RideOn! Pass customers or their accounts. For example, Metro Transit may inform third parties regarding the number of RideOn! Pass accounts within a particular zip code. Metro Transit requires third parties with whom Aggregate Data is shared to agree that they will not attempt to make information personally identifiable, such as by combining it with other databases.

Cookies

The RideOn! Pass website (MetroStLouis.org/RideOn) stores “cookies” on the computer systems of users of the website. Cookies are small data elements that a website can store on a user’s system.

The cookies used by the website facilitate customer’s use of the website (e.g. remember login names and passwords until the session has ended). The website does not require that users of the website accept these cookies. Also, the website does not store “third party” cookies on the computer systems of users of the website.

Once you leave either the RideOn! Pass website, Metro Transit encourages you to review the privacy policies of other websites visited or linked to/from either website so that you understand how these external sites utilize cookies and how the information that is collected through the use of cookies on these websites is utilized.

Metro Transit does not nor will not knowingly engage in business with any company or vendor that uses Spyware or Malware. Metro Transit does not market detailed information collected from web sessions that can be directly tied to personal information.

Furthermore, Metro Transit does not provide RideOn! Pass customers with downloadable software that collects or utilizes any PII.

Third‐Party Websites and Applications

The RideOn! Pass website may contain links to third‐party websites operated by entities that are affiliated with RideOn! Pass. These web links may be referenced within content, or placed beside the names or logos of the other entities. Metro Transit does not disclose PII to these third‐party websites.

WARNING: Metro Transit is not responsible for the privacy practices of external websites, and your use of external websites (whether through a service or content link) at your own risk. We strongly suggest that you review all privacy policies of external websites you may visit from links on the RideOn! Pass website before using or providing any information to such other websites.

In addition, Metro Transit is not responsible for third‐party applications (referred to going forward as Apps) that access or make use of the RideOn! Pass website or any features thereof. Before a RideOn! Pass customer downloads or accesses Apps, he or she should review the terms of use and privacy policies of the Apps to determine how they collect, use, and/or retain PII. Metro Transit is not responsible for the terms of use or privacy policies of Apps, or the use of PII by such Apps.

The RideOn! Pass website uses functions that have the ability to collect and store self‐reported data. These functions enable RideOn! Pass customers to revise, update, or review information that has been previously submitted by going back to the applicable function, logging‐in, and making the desired changes.

Third‐Party Websites and Applications (continued)

In addition to this method, customers may update their PII by telephoning the Customer Care Center at:

  • In Missouri: 314.982.1500; or
  • In Illinois: 618.274.1500

Complaints or problems regarding updating personal information should be submitted via the website. The Customer Care Center will either resolve the issue or forward the complaint to an appropriate Metro Transit staff member for a response or resolution.

Metro Transit strives to answer all queries within 48 business hours, but it may not always be feasible to do so. If an adequate resolution is not received, please contact Bi‐State Development’s Director of Corporate Compliance and Ethics at:

Bi‐State Development
Attn: Director of Corporate Compliance & Ethics
211 N Broadway, Suite 700
St. Louis, MO 63102‐2759
Email: CorporateCompliance@BiStateDev.org
Call: 314.923.3097

Changes to this Privacy Policy

If Metro Transit decides to make any change to the RideOn! Pass Privacy Policy, Metro Transit will post the revised policy on the RideOn! Pass website MetroStLouis.org/RideOn, along with the dates of all changes.

Metro Transit reserves the right to modify this Privacy Policy at any time, so RideOn! Pass customers are strongly encouraged to frequently review the policy.

Emails Sent to Metro Transit

This Privacy Policy does not apply to the content of emails transmitted directly to Metro Transit. Please do not send PII in an email directly to Metro Transit in order to keep content or data private.

Contact Information

Metro Transit welcomes comments on the RideOn! Pass Privacy Policy. Also, if there are questions about this statement, please contact Development’s Director of Corporate Compliance and Ethics at:

Bi‐State Development
Attn: Director of Corporate Compliance & Ethics
211 N Broadway, Suite 700
St. Louis, MO 63102‐2759
Email: CorporateCompliance@BiStateDev.org
Call: 314.923.3097