Student Privacy Statement & Cookie Policy

Processing Personal Data

Your privacy matters to us. This statement forms the basis upon which personal data that we collect from you or that you provide us with is processed by TripKey B.V. (hereafter “TripKey”, “we”, “us” or “our”). Please read this document thoroughly to know how TripKey handles your personal data.
The term ‘Personal Data’ refers to information about you personally (name, phone number, email, etc.). Please keep in mind that both changes in the law as well as the ever changing state of current technology mean that our privacy statement is subject to change. Anytime a change in our Privacy Statement occurs, we will update this document without informing you. The most recent version of our Privacy Statement applies. We therefore advise you to check this statement regularly.
We process your personal data with the utmost care and in accordance with the GDPR (General Data Protection Regulation). The fundamental idea when processing personal data is that the data that is processed is sufficient, not excessive and relevant.

Who is responsible for the data?

TripKey, its statutory seat in Amersfoort, is the Controller for the Processing of your data. The statement pertains to the gathering and more in general the processing of personal data by TripKey, with the main goals of processing payments and providing the mobility services of TripKey.


We don’t retain the personal data we collect longer than is necessary for the purposes for which it was collected as stated in this Privacy Statement. After the retention period mentioned here, all your personal data will be removed, unless the data has to be retained longer due to legal obligations. Removal implies anonymizing, destroying or processing in such a way that it’s no longer possible to identify you.

What data is collected and for what purpose?

You can provide us with information by filling in forms on our website(s), by using our website or our app, by contacting us through telephone or email, by using third-party services or otherwise. This includes information that you provide when registering on our websites and app, when using third-party mobility services, when sending us a request, when contacting our customer service, when concluding a contract for delivery of services, when participating in promotions or questionnaires and when reporting a problem with our website. The personal data you provide, which is necessary to provide our services and/or provide you with an answer can include your name, address, email address, phone number, trip information (location, date, supplier, customer number), and payment data. We will not use your personal data for other purposes than mentioned in this Privacy Statement. We will never sell your personal data.

More specifically, to comply with your request to supply, amend or update one or more (mobility)services, we need to collect your data in the following cases.

Concluding a contract

Before you can make use of the services of TripKey you conclude a contract with TripKey by agreeing with our terms of use. You conclude this contract during your registration on our TripKey app. To be able to draft and manage this contract we’ll need to process your contact data, personal data and log in data.

This data is used on a legal basis, namely to be able to perform the contract. We retain your data on our website for a maximum of 18 months after termination your user account.

Concluding an invoicing relationship

In case we enter into an invoicing relationship with you TripKey needs your account details like personal data, name and address details and your payment information.

This data is used on a legal basis, namely to be able to perform our administrative duties. We will retain this data for ten years after the invoicing date.

Creating a personal user account on the secure environment of our TripKey app
Activating and using third-party transport-, destination- and financial services

With your personal account you can activate and manage third-party services. These third parties are for example public transport bike, RC-BKA (public transport) and Mollie (financial services). To facilitate proper functioning of these services within TripKey we need to exchange your data with these third parties. If you make use of third party services through our app, we will exchange data with these/this third parties/party.

We take measures to prevent a personal data breach from happening. In this context we only exchange data with third parties that these parties need to perform their services. In some cases this is just your TripKey card number, on other cases your name and contact data is passed on. We receive travel information and trip data from third parties. Consider location, date, supplier and price of a transaction.

This third party deals with you as an independent controller. By using the services offered by this/these third party/parties through TripKey you agree to the terms and conditions and the privacy statement of this/these party/parties. We only collaborate with parties that have been thoroughly vetted and that adhere to strict privacy demands. Nevertheless the party in questions is the controller after receipt of your data. We are not responsible for the content, privacy and security practices and the policy of third parties with which we exchange data. We advise you to study the privacy and security practices of the third party before you provide them your data. You can find these on the website of the third party, if necessary you can ask the third party to provide these documents to you.

The basis for the exchange of data with third parties is the performance of a contract. We process your data from external parties until 18 months after termination of your user account. The retention period of the third party can be found in the privacy policy of the party in question.

Customer contact and (electronic) messages

To be able to answer your questions or help you with something it is sometimes necessary for us to use your data. This data has been provided to us by you. This concerns for example your contact data, your trip data or your device data. In some cases, like remote assistance, it’s also necessary for us to access your personal environment. To be able to process complaints or requests it can be necessary for us to use your payment information.

We will send you messages via email and sms that are not commercially driven without your consent. For example messages about purchase, payment, management amendment or termination of Services or about the use of third-party Services, in case of adaptations or calamities.

The basis for processing this data is the performance of a contract. We retain your customer contact data and electronic messages to a maximum of 18 months after the termination of your user account.


To create reports and to perform statistical research we use aggregated data, like travel data whenever possible. We do not use names, email addresses or other directly identifying information for reporting to TripKey management.

The basis for processing this data is the performance of a contract and looking after the legitimate interests of TripKey. We retain reports until 18 months after termination of the user account.

Improving TripKey

TripKey continuously works to improve its services and your user experience. To improve our services your data is analyzed. For example, your travel data, website and app usage, and system and account data is analyzed.
The basis for processing this data is looking out for the legitimate interests of TripKey. We retain your data up to 18 months after termination of your user account.

Keeping TripKey secure

In the interest of fraud prevention and detection we can use your contact and travel data. We can also use your account and system data, including your IP addresses for security purposes.

The basis for the processing is looking out for the legitimate interests of TripKey. We retain your data up to 18 months after the data was created. In case of fraud or unauthorized access we retain the data up to 10 years after the time of the incident.

To whom do we provide personal data?

  • We can provide you with the personal data that applies to you. We provide your data to the following categories of recipients:
  • We are required to provide your personal data should we be obliged by law for any reason.
  • We exchange data with third parties that act as Controller. See ‘Activation and use of third-party transport services’
  • We provide personal data to our pick up and drop off points. This involves the information about your order.
  • We can provide your personal data to Processors as known under the GDPR. These are suppliers that perform activities commissioned by us. When we collaborate with partners we – as Controllers – make sure that personal data is processed properly and accurately in accordance with the GDPR by our suppliers. This involves the following types of Processors:
    – Hosting parties
    – Customer Service Software
    – Telecommunication suppliers
    – Analytic software
    – Security software for keeping our services secure
    – Filesharing
    – Research software and services

Storage data

We store your personal data within the European Economic Space.

Links to third-party sites

Our service may contain links to third-party sites, apps and advertisements, that may collect information about you. We do not control such sites or their activities. All data, including personal data you provide to these third parties, are provided directly to these parties and are subject to the privacy statement of these third parties. We are not responsible for the content, privacy- and security practices and the policy of third parties to which these links refer or redirect. We advise you to study the privacy and security practices and the policy of the third party before you provide them with data. You can find these on the third party’s website, if necessary you can ask the third party to provide your with these documents.


We’ve taken physical, technical and organizational measures to protect your personal data. We do everything we can to ensure the complete reliability, accuracy and integrity of your personal data in our databases and to protect the privacy and security of our applications and databases. At least the following measures are in place:

  • We have set up physical and technical measures and management procedures that were designed to prevent unauthorized access, and/or loss or abuse of personal data as much as possible;
  • Sensitive information or personal data, like account passwords and other payment related identifiable information is encrypted before being transmitted;
  • Sensitive information is encrypted and/or hashed (this includes your password) when retained; we limit the internal access to personal data to employees who need this information to be able to perform their job;
  • Our employees are bound by a confidentiality clause;
  • Our information management systems are designed in such a way that employees who are not authorized to access certain information or personal data, in principle don’t have access to that information;
  • Our servers are located in a secured environment in datacenters. You only gain access to our servers front-end and only by logging in with a user name and password. You are personally responsible for the safe keeping of your login data;
  • The personal data is regularly backed up.

Seven rights

The personal data that we use of course is and remains your property. Therefore you have the right to view, amend, delete, limit or transfer the data we have of you to someone else. In some cases this is possible though or via the request form on the service page. You can apply for the following from us:

  • A request to data portability based on your right to transfer your personal data to another party;
  • A request to erasure with which you can enforce your right to be forgotten;
  • A request to access based on your right to view the personal data we have of you;
  • A request to rectify and complete which gives you the right to amend the personal data we work with;
  • A request to restriction of processing with which you can utilize your right to have less of your personal data processed; and
  • A request to objection with which you can enforce your right to object to the data processing.

We will ask you to proof your identity as soon as we’ve received a written request to make sure we don’t report your personal data to others. Next we will offer you an overview of all the personal data that we retain of you and/or correct, amend, export or remove personal data. Your request will be handled within 30 days. We would like to inform you that your request may have consequences for the use of our services.

Questions or complaints?

Everyone has the right to ask a question or file a complaint with us about the processing of their personal data by contacting us in any of the ways mentioned hereafter. If you want to correct your data, if you have a question or in case you object to us processing your data, you can send us a message. We, TripKey, are located in Amersfoort and hold office at Utrechtseweg 9, 3811 NA. Our service desk is available via phone: +31 889 343 443 and email:

In case of any complaints about the processing of personal data or the handling of complaints pertaining the processing of personal data by TripKey you can contact the Autoriteit Bescherming Persoonsgegevens directly, through phone number: (088) 18 52 50, or via:

This Privacy Statement has come into effect on August 1 2021. We reserve the rights to amend the policy.