Skip to content

Privacy & Confidentiality

Updated May 26, 2025

Privacy policy

The public privacy policy is located here: https://mobilitydata.org/privacy-policy/.

You can link to this page from whichever MobilityData website, application or service.

Definitions of terms

See Privacy > Definition of terms used in Privacy Policies and Laws

Core principles of privacy laws

  • Individuals must know we collect their PI/SPI.
  • They must know what we will do with their PI/SPI.
  • How long we plan on keeping their PI/SPI.
  • They also must be informed of where their data is stored.
    • If we are to follow the laws to the letter, we would need to, for example, store European union residents’ information in Europe. For Quebec residents’ information, we would need to store it in Quebec, and so on.
    • If it’s not realistic, we need to do a privacy impact assessment (law 25).
    • If by quantity/share of our users, Europe might be the best place to store PI. To be as compliant as possible, Quebec because of data transfer. Less likely to receive a complaint from Quebec if a minimum of information is stored in Quebec.
  • We have to inform them of their rights regarding these PI/SPI. That includes whether they can ask us to delete their data, transfer them.
  • We have to inform them who they need to contact in the company regarding privacy laws, even better if we list all authorities.
  • If there is no personal information stored or transferred, then no Privacy laws apply.
  • Except for CPRA, the company managers are personally responsible for any infractions.
  • A user cannot rescind consenting to the privacy policy, but they have a right to withdraw the consent to us having their data.
    • We need to give them an option to delete it;
    • Or to know what the information is;
    • Or to correct it;
    • Right to be forgotten (GDPR);
    • Exception: A good reason to keep the information, like tax obligations, invoicing (control from authorities), request from authorities about an investigation of an individual that gave us their PI/SPI.
  • Where the data subject has residence is how we know which laws apply.

Other principles

  • Law 25 is based on GDPR but with enough modifications that complying to GDPR doesn’t make you compliant to Law 25, and vice-versa.
  • Was designed with GDPR in mind so that data transfer can flow freely between the European Union and Canada.
  • California’s CPRA is mostly covered if we comply with GDPR & Law 25, whatever is left is minor and can be addressed when there is a complaint, if ever.
  • An internal privacy policy and an external one cannot be the same document, as their target audiences are not the same, and labor laws + work contracts cover a lot already.
  • No realistic way to satisfy all requirements of all privacy laws across the planet with one Privacy Policy, but perfection isn’t required, realistic compliance is.
  • In case of data transfer of PI/SPI outside of Quebec, we must every single time…
    • have a legal basis to do so;
    • submit a privacy impact assessment;
    • and put sufficient security measures in place;
    • For GDPR, only when serious risks are possible is any of this required.
    • Someone residing in Quebec who enters their PI/SPI, and the data is stored outside of Quebec, this is considered a data transfer (to confirm with lawyer).
  • Documenting what we do is important. With Law 25, we need to be able to show we are actively and continuously doing all we reasonably can to protect PI/SPI.
    • For example, we need to document which individual has given consent to What, and what date, and some geo-localization information (to know which jurisdiction applies to the individual). The What could be:
    • Privacy policy
    • Terms of service
    • Newsletter
    • Emails sent from groups.
  • Doing nothing in regard to privacy laws is the worst thing you can do.
  • When contacting someone, need to tell them where you got their contact info.
  • During the account creation procedure, need to display link to privacy policy and/or terms of service, clearly.
  • GDPR: even if we have express consent from individual, we have to make them consent to every other uses : privacy policy, receiving communications from us, be contacted for business proposals, etc.
  • Due diligence is important:
    • saying we can’t say where users live and that we can’t know which jurisdiction applies is not an excuse to not comply with privacy laws.
    • The government requires us to be diligent, show that we tried to be compliant, we consulted lawyers, we posted a policy, tried to circumvent the risks as much as possible, and so on.
  • Unsubscribing to a newsletter/service/application must be as easy as it was to subscribe.
  • The authorities do not actively investigate and control most companies, focus on large ones like Apple and Google. MobilityData being working so close with both could make MobilityData a target because they go down the chain.
  • An IP address is considered PI, but…
    • an IP address in itself cannot be directly connected to an individual
    • Only in combination with other information, can be used to identify an individual, and thus becomes PI.
    • Covered by law 25, introduced by GDPR.
  • If we comply with law 25 we comply with all other provinces in Canada because of how far it goes.
  • GDPR: legal basis for collecting someone’s PI
    • Consent can be legal basis.
    • Without consent: legitimate interest of data controller. Not Law 25 compliant.
  • Consent management platforms (CMP) exists, but are mostly about managing cookies.