Privacy Policy

Flix provides Services to Users and processes personal information / data throughout the United States, Canada, and Mexico.

The data controller for the personal information / data you provide or that is collected by Flix or its affiliates is FlixBus, Inc.

If you have questions regarding our privacy practices may contact our Data Protection Officer as follows:

FlixBus, Inc.
P.O. Box 660362
Dallas, TX 75266-0362
(Attn: Data Protection Officer)

Flix transfers personal information / data of users outside the United States, Mexico, and Canada on the basis of mechanisms approved under applicable laws. Your personal information may be subject to the law of such foreign jurisdiction, including any law permitting or requiring disclosure of the information to the government, government agencies, courts and law enforcement in that jurisdiction.

Summary

Flix collects:

• Information that you provide to Flix, such as when you purchase a ticket and when you communicate with us, such as via chat features on our website, emails, or customer service calls, all of which may be recorded.
• Information created when you use our services, such as location, usage and device information.
• Information from other sources, such as partners selling Flix services.

Details

The following information is collected by or on behalf of Flix:

1. Information You Provide

This may include:

• User Profile: We collect user profile, contact, identification and financial or economic information when you purchase products and services from Flix. This may include your name, email, phone number, login name and password, address, payment or banking information (including related payment verification information), and/or birth date.
   
• Demographic Data: We may collect demographic information about you, including through user surveys. We may also receive demographic information about you from third parties.
   
• User Content: We may collect information that you submit when you contact Flix customer support, provide ratings or compliments for other users, or otherwise contact Flix.
   
• Accessibility: We may collect information you choose to provide us to assist us in providing accommodations to improve accessibility to our services. This may be considered sensitive personal information / data in some jurisdictions.

2. Information Created When You Use Our Services

This may include:

• Location Information: Depending on the Flix Services that you use, and your app settings or device permissions, we may collect your precise or approximate location information as determined through data such as GPS, IP address and Wi-Fi.
   
• Transaction Information: We collect transaction details related to your use of our Services, including the type of Services you requested or provided, your transaction details, date and time the Service was provided, amount charged, distance traveled, and payment method. Additionally, if someone uses your promotion code, we may associate your name with that person.
   
• Usage Information: We collect information about how you interact with our Services. This includes information such as access dates and times, app features or pages viewed, app crashes and other system activity, type of browser, and third-party sites or service you were using before interacting with our Services. In some cases, we collect this information through cookies, pixel tags, and similar technologies that create and maintain unique identifiers. To learn more about these technologies, please see our Cookies and Third-Party Technologies and Services Section (“Cookie Statement”) below.
   
  • Cookies: A cookie is a small text file that is stored on a user’s device, which may be session ID cookies or tracking cookies that collect information about you. For more details, see our Cookie Statement below.
     
• Device Information: We may collect information about the devices you use to access our Services, including the hardware models, device IP address, operating systems and versions, software, file names and versions, preferred languages, unique device identifiers, advertising identifiers, serial numbers, device motion information, and mobile network information.

3. Information From Other Sources

These may include:

• User feedback, such as ratings or compliments.
• Users providing your information in connection with referral programs.
• Users requesting services for or on your behalf.
• Users or others providing information in connection with claims or disputes.
• Partner transportation companies.
• Publicly available sources.
• Marketing service providers.

Flix may combine the information collected from these sources with other information in its possession.

Summary

Flix and/or our service providers may collect and use personal information / data to enable reliable and convenient transportation, and otherwise provide the Services and operate our business with or without your consent as legally permitted. Without limitation, we use the personal information / data we collect:

• To provide transaction and travel confirmation communications.
• To enhance the customer experience including through personalization.
• For customer support, such as responding to your questions and concerns (which may include use of transcripts or recordings collected from chats or customer service calls).
• To facilitate our marketing programs including offers, targeted advertisements, promotions or contests.
• For research, development, and analytical purposes.
• To enhance the safety and security of our users and services.
• In connection with legal proceedings.
• As otherwise disclosed at collection.
• For other purposes not inconsistent with this Privacy Policy or applicable law.

As more fully set forth in the Information Disclosure Section below, Flix may disclose your personal information / data to third parties (i) at your direction or with your consent; (ii) as part of a merger, asset sale, restructuring or similar transaction; or (iii) with third parties who are authorized by Flix as a service provider or otherwise.

Details

Flix uses the personal information / data it collects for purposes including, without limitation:

1. Providing services and features

Greyhound uses the personal information / data we collect to provide, personalize, maintain and improve our products and services. This includes, without limitation, using the information to:

• Enable transportation and other services.
• Provide offers and discounts.
• Verify your identity.
• Process or facilitate payments for those services.
• To track the progress of your ride and notify you of when you will be arriving at a station.
• Enable features that allow you to share information with other people, such as when you submit a compliment about a driver or refer a friend to Flix.
• Enable features to personalize your Flix experience such as to enable quick access to previous destinations.
• Perform internal operations necessary to provide our services, including to troubleshoot software bugs and operational problems, to conduct data analysis, testing, and research, and to monitor and analyze usage and activity trends.

2. Safety and security

We use your personal information / data to help maintain the safety, security and integrity of our services and users. This includes, for example:

Using device, location, profile, usage and other information to prevent, detect, and combat fraud or unsafe activities. This includes processing of such information, in certain countries, to identify practices or patterns that indicate fraud or risk of safety incidents. This may also include information from third parties. In certain cases, such incidents may lead to deactivation or reservation cancellation. We may also use video surveillance to monitor security in stations and vehicles, subject to applicable law, which used by our personnel, vendors, and law enforcement for safety and security purposes.

3. Customer support

Flix uses the personal information / data we collect (including recordings of customer support calls and chat feature transcripts after notice of recording to you) to assist you when you contact our customer support services, including to:

• Direct your questions to the appropriate customer support person.
• Investigate and address your concerns.
• Monitor and improve our customer support responses and train our personnel.

4. Research and development

We may use the personal information / data we collect for testing, research, analysis and product development. This allows us to develop new features and products, improve and enhance the safety and security of our services.

5. Communications from Flix

Flix may use the personal information / data we collect to communicate with you about products, services, promotions, studies, surveys, news, updates and events. Flix may also use the information to promote and process contests and sweepstakes, fulfill any related awards, and serve you relevant ads and content about our services and those of our business partners. You may receive some of these communications based on your profile as a member and/or User.

Customers may opt-out of any commercial emails by selecting “unsubscribe” in any commercial email communication.

6. Market Our Services

Flix may use the personal information / data we collect to market our services, including to provide you personalized content and experiences on our Services, to deliver offers, when you participate in promotions or contests, or for other marketing purposes using tracking technologies and analytics tools described in the Cookies and Third-Party Technologies and Services Section below.

7. Partner Usage of Personal Information / Data

Our partners may collect information directly from your device, such as your IP address, device ID, and information about your browser or operating system; may combine personal and non-personal information about you with information from other sources; and may place or recognize a unique cookie on your browser. This activity enables them to identify you to facilitate the delivery of marketing on our behalf. To opt-out of third-party interest-based advertising cookies, please go to http://www.aboutads.info/choices. See our Cookie Statement below for more about your choices regarding cookies and third-party services. Residents of certain U.S. states have additional opt-out rights described in our U.S. State Notice below.

8. Corporate Transactions

Flix may use personal information / data as part of a corporate transaction, such as to comply with requests of a prospective or an actual purchaser or financier interested in our companies and other assets, including in connection with an asset sale, merger, change of control, bankruptcy, or similar transaction, or due diligence related to such transactions.

9. Legal proceedings and requirements

As permitted by applicable law, Flix reserves the right, without limitation to collect and use information necessary to investigate or address claims, or disputes relating to your use of Flix Services, or as requested by regulators, government entities and official inquiries or by legal process.

10. In a De-identified, Anonymized, or Aggregated Format

Depending on the applicable law, when converted to a de-identified, anonymized, or aggregated format, personal information / data may no longer constitute personal information / data and we may use this information for any business purpose not prohibited by applicable law.

11. With Your Consent

Depending on the applicable law, we may use your personal information / data for any other purposes for which you consent, or for which we give notice at collection, the whole in accordance with applicable law.

Summary

Flix and our partners may use cookies, web beacons, embedded scripts, pixels, tags, session replay tools, SDKs, and other identification technologies (“Tracking Technologies”) in connection with our Services for purposes described in this Privacy Policy. If we use these Tracking Technologies to identify, to locate or to profile you, we will provide you information on how activate those functions.

Details

Cookies are small text files that are stored on your browser or device by websites, apps, online media, and advertisements that are used to remember your browser or device during and across website visits. We may also utilize other Tracking Technologies that may identify you or the devices you use. For example, “pixel tags” (also called web beacons) are small blocks of code installed on (or called by) a webpage, app, email, or advertisement which can retrieve the following information about your device and browser: device type, operating system, browser type and version, website visited, time of visit, referring website, IP address, advertising identifiers, and other similar information, including the small text file (the cookie) that uniquely identifies the device. Pixels provide the means by which third parties can set and read browser cookies from a domain that they do not themselves operate and collect information about visitors to that domain, typically with the permission of the domain owner. “Local storage” refers generally to other places on a browser or device where information can be stored by websites, ads, or third parties (such as HTML5 local storage and browser cache). “Software Development Kits” (also called SDKs) function like pixels and cookies but operate in the mobile app context where pixels and cookies cannot always function. The primary app developer can install pieces of code (the SDK) from partners in the app, and thereby allow the partner to collect certain information about user interaction with the app and information about the user device and network information. Flix uses cookies and similar Tracking Technologies as permitted by applicable law, including for purposes such as:

• Authenticating Users.

• Remembering User preferences and settings.

• Determining the popularity of content.

• Delivering and measuring the effectiveness of advertising campaigns.

• Analyzing site traffic and trends, and generally understanding the online behaviors and interests of people who interact with our Services. We may also allow others to provide audience measurement and analytics services for us, to serve advertisements on our behalf across the Internet, and to track and report on the performance of those advertisements. These entities may use cookies, web beacons, SDKs, and other technologies to identify your device when you visit our site and use our Services, as well as when you visit other online sites and services. Please see our Cookie Statement below for more information regarding the use of cookies and other Tracking Technologies described in this section, including regarding your choices relating to such technologies.

  • Cookies. A cookie is a small text file that is stored on a user’s device, which may be session ID cookies or tracking cookies. Session cookies make it easier for you to navigate the Service and expire when you close your browser. Tracking cookies remain longer and help in understanding how you use the Service and enhance your user experience. Cookies may remain on your hard drive for an extended period of time. If you use your browser’s method of blocking or removing cookies, some but not all types of cookies may be deleted and/or blocked and as a result some features, and functionalities of the Service may not work. HTML5 cookies can be programmed through HTML5 local storage. HTML5 cookies are locally stored on your device other than in the browser and browser settings won’t control them. To identify certain types of local shared objects on your device and adjust your settings, please visit: https://www.w3schools.com/html/html5_webstorage.asp. The site may help to associate some or all of these types of cookies with your devices.

  • Web Beacons (“Tracking Pixels”). Web beacons are small graphic images, also known as “Internet tags” or “clear gifs,” embedded in web pages and email messages. Web beacons may be used, without limitation, to count the number of visitors to the Service, to monitor how Users navigate the Service, and to count content views.

  • Embedded Scripts. An embedded script is programming code designed to collect information about your interactions with the Service. It is temporarily downloaded onto your computer from our web server, or from a third party with which we work and is active only while you are connected to the Service and deleted or deactivated thereafter.

  • Location-identifying Technologies. GPS (global positioning systems) software, geo-filtering and other location-aware technologies locate you (sometimes precisely), or make assumptions about your location, for purposes such as verifying your location and delivering or restricting content based on your location. If you have enabled GPS or use other location-based features on the Service, your device location may be tracked by us and third parties. Our Service content may be personalized based on various information we may have about you to try to provide you with more location-relevant content. You may disable location aware services by changing your settings.

  • Device Recognition Technologies. Technologies, including application of statistical probability to data sets, as well as linking a common unique identifier to different device use (e.g., Facebook ID), which attempt to recognize or make assumptions about users and devices (e.g., that a user of multiple devices is the same user or household) (“Cross-device Data”).

  • In-App Tracking Methods. There are a variety of tracking technologies that may be included in mobile applications, and these are not browser-based like cookies and cannot be controlled by browser settings. Some use device identifiers, or other identifiers such as “Ad IDs,” or may use “SDKs,” to associate app user activity to a particular app and to track user activity across apps and/or devices. SDKs are blocks of code that may be installed in our mobile application by third party companies with which we work. SDKs help us understand how you interact with our mobile application and collect certain information about the device and network you use to access our application, such as the advertising identifier associated with your device and information about how you interact with our application.

  • Device and Activity Monitoring. Technologies that monitor and may record certain of your interactions with the Service, including without limitation, keystrokes, and/or collect and analyze information from your device, such as, without limitation, your operating system, plug-ins, system fonts, and other data, for purposes such as identification, security, fraud prevention, troubleshooting, tracking and/or improving the Services and customizing or optimizing your experience on the Services.

    • Session Replay Technologies. We may use session replay tools to collect real-time information about your use of the Service, such as pages visited, links clicked, non-sensitive information entered, and mouse movements.
       
      • Notably, we use Hotjar to better understand our users’ needs and to optimize the Service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g., how much time they spend on which pages, which links they choose to click, what users do and do not like, etc.) and this enables us to build and maintain our Service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our Site. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually restricted to using the personal information / data only to provide us services.
         
  • Chat Features. The Service may also have a chat feature that may use automated responses, and which may record transcripts of the chat.

Some information about your use of our Service and certain third-party services may be collected using Tracking Technologies across time and services and used by us and third parties for purposes such as to associate different devices you use and deliver relevant ads and/or other content to you on the Service and certain third-party services. Some browsers may enable you to turn on or off a so-called “Do Not Track” signal. Because there is no industry consensus on what these signals should mean and how they should operate, we do not look for or respond to “Do Not Track” signals. See the section below entitled Choice and Transparency regarding certain choices regarding these activities. We are giving you notice of the Tracking Technologies and your choices regarding them explained below so that your consent to encountering them is meaningfully informed.

Our Service may include hyperlinks to, or include on or in connection with, the Service (e.g., apps and plug-ins), websites, locations, platforms, applications or services operated by third parties (“Third-Party Service(s)”). These Third-Party Services may use their own cookies, web beacons, and other Tracking Technologies to independently collect information about you and may solicit personal information from you.

Certain functionalities on our service permit interactions that you initiate between the Service and certain Third-Party Services, such as third-party social networks (“Social Features”). Examples of Social Features include: enabling you to send content such as contacts and photos between the Service and a Third-Party Service; “liking” or “sharing” our content; and to otherwise connect our service to a Third-Party Service (e.g., to pull or push information to or from our service). If you use Social Features, and potentially other Third-Party Services, information you post or provide access to may be publicly displayed on our service or by the Third-Party Service that you use. Also, both we and the third party may have access to certain information about you and your use of the Service and any Third-Party Service.

We are not responsible for, and make no representations regarding, the policies or business practices of any third parties, including, without limitation, Third-Party Services, and encourage you to familiarize yourself with and consult their privacy policies and terms of use. See the section called Transparency and Choice for more on certain choices offered by some third parties regarding their data collection and use, including regarding Interest-based Advertising and analytics.

Summary

Some of Flix’s products, Services and features disclose/transfer personal information / data to our related companies and business partners as more fully set forth below, and we use all reasonable safeguards, such as agreements with these third parties to protect your personal information. We may also disclose/transfer personal information / data for legal reasons or in connection with claims or disputes and as otherwise permissible under applicable law and consistent with this Privacy Policy, notice at collection or your direction or consent.

Details

For instance, Flix may disclose the personal information / data we collect to the following:

1. Flix business partners
For example, if you requested a service through a partnership or promotional offering made by a third-party business partner, Flix may disclose/transfer your personal information / data to those third parties to facilitate your request. This may include, for example, Third-Party Services (as defined in the Cookies and Third-Party Technologies and Services section) that integrate with our APIs, or services, or those with an API or service with which we integrate, or business partners with which Flix may partner with to deliver a promotion, a contest or a specialized service. This includes Bus Operators as more fully described in subsection 5 below.

2. With the general public when you submit content to a public forum
We love hearing from our users – including through customer testimonials and surveys, as well as through public forums such as Flix blogs, social media, and certain features on our network. When you communicate with us through those channels, your communications may be viewable by the public.

3. With Flix’s parent company, subsidiaries and affiliates
We disclose/transfer personal information / data to our parent company, subsidiaries and affiliates to help us provide our Services or conduct data processing on our behalf.

4. With Flix service providers
Flix may also provide personal information / data to non-affiliate vendors, consultants, marketing partners, research firms, and other service providers. This may include, for example:

• Payment processors and facilitators
• Data processors.
• Cloud storage providers.
• Marketing partners and marketing platform providers.
• Data analytics providers.
• Call center and live chat vendors.
• Research partners, including those performing surveys or research projects in partnership with Flix or on Flix’s behalf.
• Vendors that assist Flix to enhance the safety and security of its apps.
• Consultants, lawyers, accountants and other professional service providers.
• Fleet partners.
• Insurance and financing partners.
• Third party vehicle suppliers.

5. With Bus Operators
Flix is a broker of services and tickets which brings passengers and transportation together. Flix is not an operator or provider of any transportation services. Transportation services are provided by operators. Accordingly, when you book travel on the Flix Services, it is fulfilled by an independent bus operator (“Bus Operator”). By booking travel on the Flix Services, you direct us to disclose/transfer your booking information to the Bus Operator. The Bus Operator’s privacy policy, not this Privacy Policy, applies to its data practices.

6. For legal reasons or in the event of a dispute
Depending on the applicable law, Flix may disclose/transfer your personal information / data if we believe it is required by applicable law, regulation, operating agreement, legal process or governmental request, or where the disclosure is otherwise appropriate due to safety or similar concerns. This includes disclosing your personal information / data to law enforcement officials, government authorities, airports (if required by the airport authorities as a condition of operating on airport property), or other third parties as necessary to enforce our Terms of Service, user agreements, or other policies, to protect Flix’s rights or property or the rights, safety or property of others, or in the event of a claim or dispute relating to your use of our services. If you use another person’s credit card, we may be required by law to disclose personal information / data to that credit card holder, including trip information.

7. In connection with a corporate transaction
Depending on the applicable law, we may disclose/transfer your personal information / data to others in connection with, or during negotiations or due diligence of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company, as legally permitted.

8. With your consent
Depending on the applicable law, Flix may disclose your personal information / data other than as described in this Privacy Policy if we notify you and you consent to the disclosure, which may be accomplished through a notice at collection.

9. In a de-identified, anonymized, or aggregate form
We may also de-identity, anonymize, or aggregate personal information / data to disclose to third parties for any purpose, as legally permitted.

Without limiting the generality of the foregoing, Flix may retain certain personal information / data, including transaction, location, usage and other personal information / data for approximately 10 years, or as otherwise allowed or required under the applicable law, in connection with regulatory, tax, insurance or other requirements and for other legitimate business purposes in the places in which it operates, or for as long as necessary to fulfill the purposes for which the personal information / data was collected. Depending on the applicable law, once such personal information / data is no longer necessary to provide Flix’s services, enable customer support, enable identification and enhancements the user experience or other operational purposes, Flix takes steps to prevent access to or use of such personal information / data for any purpose other than compliance with these requirements or for purposes of safety, security and fraud prevention and detection or as required by law. Depending on the applicable law, Flix thereafter securely deletes or anonymizes such personal information / data in accordance with applicable laws.

Residents of certain U.S. states have certain deletion rights as explained in our U.S. State Privacy Notice.

Flix may retain certain personal information / data if necessary for its legitimate business interests, such as fraud prevention and enhancing users’ safety and security.

We do not believe that state privacy laws apply to us because of the preemption of state laws regulating our Services by federal law. However, we make good faith efforts to provide our customers with the notices and data subject rights accorded by these laws, as we understand and interpret them and elect to apply them as best practices, as a courtesy.

U.S. State Privacy Notice

Effective Date: April 19, 2023

This U.S. State Privacy Notice (“Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (together, the “CCPA”), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, Chapter 603A of the Nevada Revised Statutes, and all laws implementing, supplementing or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”). Capitalized terms used but not defined in this Notice shall have the meanings given to them under U.S. Privacy Laws.

This Notice is designed to meet our obligations under U.S. Privacy Laws and supplements the general privacy policies of FlixBus, Inc. and its subsidiaries (“Company,” “our,” “us,” or “we”) or including, without limitation, our Online Privacy Policy. In the event of a conflict between any other Company policy, notice, or statement and this Notice, this Notice will prevail as to Consumers unless stated otherwise.

Applicability:

• Section 1 of this Notice provides notice of our data practices, including our collection, use, disclosure, and sale of Consumers’ Personal Information or Personal Data (collectively, “PI”). It does not apply to our job applicants, current employees, former employees, or independent contractors (“Personnel”). Our California Personnel can learn about our data practices as relates to them in our California Personnel Privacy Notice.
• Sections 2-5 of this Notice provide information regarding Consumer rights and how you may exercise them. It also provides information regarding rights of our California Personnel.
• Section 6 of this Notice provides additional information for California residents, other than our Personnel.

For California residents the term “Consumer” is not limited to data subjects acting as individuals regarding household goods and services and includes data subjects in a business-to-business context. This is not the case in the other states.

The description of our data practices in this Notice covers the twelve (12) months prior to the Effective Date and will be updated at least annually. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.

We may Collect your PI directly from you (e.g., when you purchase a ticket); your devices; our affiliates; service providers; data analytics providers, advertising networks; other vendors and suppliers; our subsidiaries; other users of our services; public sources of data; or other businesses or individuals.

Generally, we Process your PI to provide you services and as otherwise related to the operation of our business, including for one or more of the following Business Purposes: Performing Services; Managing Interactions and Transactions; Security; Debugging; Advertising & Marketing; Quality Assurance; Processing Interactions and Transactions; and Research and Development. We may also use PI for other Business Purposes in a context that is not a Sale or Share under U.S. Privacy Laws, such as disclosing it to our Service Providers, Contractors, or Processors that perform services for us (“Vendors”), to the Consumer or to other parties at the Consumer’s direction or through the Consumer’s action; for the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties to comply with law or legal process or protect or enforce legal rights or obligations or prevent harm; and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”) (“Additional Business Purposes”). Subject to restrictions and obligations under U.S. Privacy Laws, our Vendors may also use your PI for Business Purposes and Additional Business Purposes and may engage their own vendors to enable them to perform services for us.

We may also use and disclose your PI under this Notice for Commercial Purposes, which may be considered a “Sale” or “Share” under applicable U.S. Privacy Laws, such as when Third-Party Digital Businesses (defined below) Collect your PI via third-party cookies, and when we Process PI for certain advertising purposes. While our Selling or Sharing of PI is currently limited to disclosures to Third-Party Digital Businesses, we reserve the right to Sell or Share PI to others in the future. See Section 2(c) below for information on how to opt-out of Sale/Share/Targeting.

We provide more detail on our data practices in the two charts that follow.

(a) PI Collection, Disclosure, and Retention – By Category of PI

We collect, disclose, and retain PI as follows:

There may be additional information we Collect that meets the definition of PI under applicable U.S. Privacy Laws but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category.

As permitted by applicable law, we do not treat deidentified data or aggregate consumer information as PI and we reserve the right to convert, or permit others to convert, your PI into deidentified data or aggregate consumer information, and may elect not to treat publicly available information as PI. We will not attempt to reidentify data that we maintain as deidentified.

As required by California law, we note our general PI retention rules by category of PI in the chart above. However, because there are numerous types of PI in each category, and various uses for each PI type, actual retention periods vary. We retain specific PI pieces based on how long we have a legitimate purpose for the retention.

(b) PI Use and Disclosure – By Processing Purpose

We use and disclose PI for the processing purposes described below:

As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below), Company provides Consumers and our California Personnel the privacy rights afforded to them in their state of residence, as described in this section to the extent applicable. For residents of states without Consumer privacy rights, we will consider access, deletion, and correction requests but will apply our discretion in how we process such requests. We will not consider other requests, such as Do Not Sell/Share/Target requests, for residents of states where the law does not require us to do so. We will also consider applying state law rights prior to the effective date of such laws, but will do so in our discretion.

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, use our Data Subject Rights Request Form or call us via phone at 1-855-626-8585, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). More details on the request and verification process are in Section 2(g). The Consumer rights we accommodate are as follows:

(a) Right to Limit Sensitive PI Processing

We only Process Sensitive PI for purposes that are exempt from Consumer choice under U.S. Privacy Laws.

(b) Right to Know/Access

Residents of California, Virginia, and Colorado are entitled to access PI up to twice in a 12-month period. Residents of Connecticut and Utah are entitled once every 12-month period to access PI maintained by Company, with subsequent requests subject to a service fee. We apply the same limitation on number of Verifiable Consumer Requests in Connecticut and Utah to all states other than California, Virginia, and Colorado.

(1) Categories (available for California Residents Only)

California residents have a right to submit a request for any of the following for the period that is 12-months prior to the request date:

• The categories of PI we have Collected about you.
• The categories of sources from which we Collected your PI.
• The Business Purposes or Commercial Purposes for our Collecting, Selling, or Sharing your PI.
• The categories of Third Parties to whom we have disclosed your PI.
• A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.
• A list of the categories of PI Sold or Share about you and, for each, the categories of recipients, or that no Sale or Share occurred.

(2) Specific Pieces

You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have collected and are maintaining. For your specific pieces of PI, as required by applicable U.S. Privacy Laws, we will apply the heightened verification standards as described below. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests.

(c) Do Not Sell / Share / Target

Under the laws of California, Colorado, Connecticut, Nevada, Utah, and Virginia there are broad and differing concepts of “Selling” PI for which an opt-out is required. California also has an opt-out from “Sharing” for Cross-Context Behavioral Advertising (use of PI from different businesses or services to target advertisements). Some of these states have an opt-out of “Targeted Advertising” (defined differently but also addressing tracking, profiling, and targeting of advertisements). We may Sell or Share your PI and/or use your PI for Targeted Advertising, as these terms apply under U.S. Privacy Laws. However, we provide residents of California, Colorado, Connecticut, Nevada, Utah, and Virginia an opt out of Sale/Sharing/Targeting that is intended to combine all of these state opt-outs into a single opt-out available regardless of state of residency.

Third-Party digital businesses (“Third-Party Digital Businesses”) may associate cookies and other tracking technologies that Collect PI about you on our services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We understand that giving access to PI on our services, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws and thus we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your PI, Share your PI for Cross-Context Behavioral Advertising, or Process your PI for Targeted Advertising if you make a Do Not Sell/Share/Target opt-out request.

Opt-out for non-cookie PI: If you want to limit our Processing of your non-cookie PI (e.g., your email address) for Targeted Advertising, or opt-out of the Sale/Sharing of such data, make an opt-out request here.

Opt-out for cookie PI: If you want to limit our Processing of your cookie-related PI for Targeted Advertising or opt-out of the Sale/Sharing of such PI, you need to exercise a separate opt-out request on our cookie management tool here. This is because we have to use different technologies to apply your opt-out of cookie PI and to non-cookie PI. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. A similar tool is available for our app, which you can access via the privacy option of your settings menu. You must exercise your preferences on each of our websites and apps you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to enable them again via our cookie management tool. Beware that if you use ad blocking software, that may interfere with your ability to access our cookie management tool.

Opt-out preference signals (also known as global privacy control or GPC): Some of the U.S. Privacy Laws require businesses to process GPC signals, which is referred to in California as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the Sale and Sharing of personal information. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. We have configured the settings of our consent management platform to receive and process GPC signals on our website. We process OOPS/GPC with respect to Sales and Sharing that may occur in the context of Collection of cookie PI by tracking technologies online by Third-Party Digital Businesses, discussed above, and apply it to the specific browser on which you enable OOPS/GPC. We currently do not, due to technical limitations, process OOPS/GPC for opt-outs of Sales and Sharing in other contexts (e.g., non-cookie PI). We do not: (1) charge a fee for use of our service if you have enabled OOPS/GPC; (2) change your experience with any product or service if you use OOPS/GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.

We do not knowingly Sell or Share the PI of Consumers under 16. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please contact us via mail at FlixBus, Inc., P.O. Box 660362, Dallas, TX 75266-0362 (Attn: Privacy).

We may disclose your PI for the following purposes, which are not a Sale or Share: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.

(d) Right to Delete

Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI. Our retention rights include, without limitation:

• to complete transactions and services you have requested;
• for security purposes;
• for legitimate internal Business Purposes (e.g., maintaining business records);
• to comply with law and to cooperate with law enforcement; and
• to exercise or defend legal claims.

Note also that, depending on where you reside (e.g., California and Utah), we may not be required to delete your PI that we did not Collect directly from you.

(e) Correct Your PI

Consumers may bring inaccuracies they find in their PI that we maintain to our attention, and we will act upon such a complaint as required by applicable law.

(f) Automated Decision Making/Profiling

We do not engage in Automated Decision Making or Profiling.

(g) How to Exercise Your Consumer Privacy Rights

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, use our Data Subject Rights Request Form or call us via phone at 1-855-626-8585, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).

(1) Your Request Must be a Verifiable Consumer Request

As permitted or required by applicable U.S. Privacy Laws, any request you submit to us must be a Verifiable Consumer Request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, phone number, and/or information related to your relationship with us. We will review the information provided and may request additional information (e.g., transaction history) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sell/Share/Target or Limitation of Sensitive PI requests unless we suspect fraud.

We verify each request as follows:

• Right to Know (Categories) (available for California residents only): We verify your Request to Know Categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If we cannot do so, we will refer you to this Notice for a general description of our data practices.

• Right to Know (Specific Pieces): We verify your Request To Know Specific Pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you together with a signed declaration under penalty of perjury that you are the Consumer whose PI is the subject of the request. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request if you are a California resident.

• Do Not Sell/Share/Target & Limit SPI: No specific verification required unless we suspect fraud.

• Right to Delete: We verify your Request to Delete to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share/Target and/or Limit SPI request.

• Correction: We verify your Request to Correct PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized correction.

To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

(2) Agent Requests

You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you. You can learn how to do this by visiting the agent section of our Data Subject Rights Request Form. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.

(3) Appeals

Virginia, Colorado, and Connecticut residents may appeal Company’s decision regarding a request by following the instructions in our response to you.

(h) Our Responses

Some PI that we maintain is insufficiently specific for us to be able to associate it with a verified Consumer (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests. If we deny a request, in whole or in part, we will explain the reasons in our response.

We will make commercially reasonable efforts to identify Consumer PI that we Process to respond to your Consumer request(s). In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with applicable U.S. Privacy Laws and our interest in the security of your PI, we will not deliver to you your passport number in response to a Consumer privacy rights request.

We will not discriminate or retaliate against you in a manner prohibited by applicable U.S. Privacy Laws for your exercise of your Consumer privacy rights. We may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable data.

We may offer discounts or other rewards (“Incentives”) from time-to-time to Consumers that provide us with PI, such as name, phone number, or e-mail address. You may opt-in to Incentives by subscribing to our Incentive programs we may offer from time-to-time (“Program(s)”). Each Program may have additional terms, available on the Program page or at Program sign-up. The Incentives will be described in the Program page, or at Program sign-up. In the event the Program requires limitation of your consumer privacy rights, the value of your PI will be reasonably related to the value of the Incentive, and by subscribing to a Program you indicate you agree. If you do not, do not subscribe to the Program. If you subsequently wish to withdraw from a Program, the method for doing so will be explained in the Program terms.

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights under U.S. Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

In addition to the CCPA, certain Californians are entitled to certain other notices, as follows:

This Notice provides information on our online practices and your California rights specific to our online services. Without limitation, Californians that visit our online services and seek to acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights:

(a) California Minors

Although our services are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our services, and posted content on the service, can request removal by contacting us via mail at FlixBus, Inc., P.O. Box 660362, Dallas, TX 75266-0362 (Attn: Privacy), detailing where the content is posted and attesting you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines we do not control.

(b) Shine the Light

We may share “personal information,” as defined by California’s “Shine the Light” law, with third parties for such third parties own direct marketing purposes. California residents may opt-out of this sharing by contacting us at FlixBus, Inc., P.O. Box 660362, Dallas, TX 75266-0362 (Attn: Privacy). You must put the statement “Shine the Light Request” in the body of your correspondence. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. This right is different than, and in addition to, CCPA rights, and must be requested separately. However, a Do Not Sell/Share/Target opt-out is broader and will limit our sharing with third parties for their own direct marketing purposes without the need for making a separate Shine the Light request. We will not accept Shine the Light requests by telephone or by fax, and are not responsible for requests not labeled or sent properly, or that are incomplete.

If you have any questions, comments, or concerns about our privacy practices, please call us at 1-855-626-8585 or email us at data.protection@flixbus.com. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include sensitive information in your e-mail correspondence with us.

If legally required by Mexican law and subject to the requirements therein, Mexican residents may exercise the following rights relating to their personal information / data: (i) rights of Access, Rectification, Cancellation and Opposition (“ARCO Rights”); (ii) revoking the consent granted to Flix for the processing of personal information / data; and (iii) limiting the use or disclosure of personal information / data for certain purposes; and (iv) rejecting the use of your personal information / data for secondary purposes.

The following are secondary purposes for which customers of Mexico may opt-out of such processing by contacting us as set forth in the next paragraph: developing new products and marketing (including providing personalized content and experiences on our Services, delivering offers, and commercial email marketing).

For Mexican residents to exercise these rights, and subject to any other opt-out procedures included herein, please contact our Data Protection Officer at data.protection@flixbus.com, who is in charge of answering the Mexican residents’ data protection-related requests and can provide the Users information regarding the details of the process through which such rights can be exercised.

Under applicable laws and subject to any legal restrictions, Canadian residents may have the right to access and request the rectification of the personal information / data we retain about you if it is inaccurate, incomplete, equivocal or no longer up to date. Such request must be made in writing by contacting us / our Data Protection Officer at the email address or mailing address above. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice.

Residents of Quebec, beginning September 22, 2023, may have also the following rights:

• to receive an explanation of a decision based exclusively on an automated processing of your personal information (if applicable);
• to request certain types of information about the collection, use and sharing of your personal information by Flix;
• to obtain the communication of your computerized personal information / data in a structured, commonly used technological format.

Summary

Flix provides means for you to see and control the personal information / data that Flix collects, including through:

• in-app privacy settings
• device permissions
• in-app ratings pages
• marketing opt-outs

Details

A. Device Permissions

Most mobile platforms (iOS, Android, etc.) have defined certain types of device data that apps cannot access without your consent. And these platforms have different permission systems for obtaining your consent. The iOS platform will alert you the first time the Greyhound app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Flix app seeks before you first use the app, and your use of the app constitutes your consent.

To learn more about how you can control location permissions using your mobile device’s operating system settings, please visit the following links depending on which device you use:

• For Android 6.0 and above: https://support.google.com/googleplay/answer/6270602?hl=en
• For earlier versions of Android: https://support.google.com/googleplay/answer/6014972
• For iOS: https://support.apple.com/en-us/HT207056

B. Marketing Opt-Outs

You may opt out of receiving primarily promotional emails from Flix by using the “unsubscribe” link that is in every “commercial” email. Please note that if you opt out, we may still send you primarily transactional or informational messages, such as ticket confirmations and alerts for changes to your trip.

C. Tracking Technologies Generally

Regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. Browsers offer different functionalities and options, so you may need to set them separately. Also, tools from commercial browsers may not be effective with regard to HTML5 cookies (also known as locally shared objects) or other Tracking Technologies. For information on HTML5 cookies, go to https://www.w3schools.com/html/html5_webstorage.asp. Please be aware that if you disable or remove these technologies, some parts of the service may not work and that when you revisit the service your ability to limit browser-based tracking technologies is subject to your browser settings and limitations.

For easy access, here are links on how to manage cookies from some of the more popular browsers:

• Google Chrome
• Firefox
• Internet Explorer
• Edge
• Safari

We do not represent that these third-party tools, programs or statements are complete or accurate. Clearing cookies or changing settings may affect your choices and you may have to opt-out separately via each browser and other device you use. Cookie-enabled opt-outs signals may no longer be effective if you delete, block or clear cookies. We are not responsible for the completeness, accuracy or effectiveness of any third-party notices or choices.

Some App-related Tracking Technologies in connection with non-browser usage (e.g., most functionality of a mobile app) can only be disabled by uninstalling the app. To uninstall an app, follow the instructions from your operating system or handset manufacturer. Apple and Google mobile device settings have settings to limit ad tracking, and other tracking, but these may not be completely effective.

Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no consensus among industry participants as to what “Do Not Track” means in this context. Like many online services, we currently do not alter our practices when we receive a “Do Not Track” signal from a visitor’s browser. To find out more about “Do Not Track,” you can visit http://www.allaboutdnt.com, but we are not responsible for the completeness or accuracy of this third-party information. Some third parties, however, may offer you choices regarding their Tracking Technologies. One way to potentially identify cookies on our web site is to add the free Ghostery plug-in to your browser at www.ghostery.com, which according to Ghostery will display for you traditional, browser-based cookies associated with the web sites (but not mobile apps) you visit and privacy and opt-out policies and options of the parties operating those cookies. We are not responsible for the completeness or accuracy of this tool or third-party choice notices or mechanisms. For specific information on some of the choice options offered by third party analytics and advertising providers, see the next section.

D. Analytics And Ad Tracking Technologies

You may exercise choices regarding the use of cookies from Google Analytics by going to https://tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on. You may exercise choices regarding the use of cookies from Adobe Analytics by going to http://www.adobe.com/privacy/opt-out.html under the section labeled “Tell our customers not to measure your use of their web sites or tailor their online ads for you.”

We may engage and work with service providers and other third parties to serve advertisements on the Service and/or on third-party services. Some of these ads may be tailored to your interest based on your browsing of the Service and elsewhere on the Internet, which may include use of precise location and/or Cross-device Data, sometimes referred to as “interest-based advertising” and “online behavioral advertising” (“Interest-based Advertising”), which may include sending you an ad on a third-party service after you have left the Service (i.e., “retargeting”). You may choose whether to receive some Interest-based Advertising by submitting opt-outs. Some of the advertisers and service providers that perform advertising-related services for us and third parties may participate in the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Program for Online Behavioral Advertising. To learn more about how you can exercise certain choices regarding Interest-based Advertising, including use of Cross-device Data for serving ads, visit http://www.aboutads.info/choices/ and http://www.aboutads.info/appchoices for information on the DAA’s opt-out program specifically for mobile apps (including use of precise location for third party ads). For Canada, you can visit https://optout.aboutads.info/?c=3&lang=en, which is the site offered by Digital Advertising Alliance of Canada (“DAAC”), that includes information on how to opt-out of Interest-based Advertising from companies participating in the DAAC. Some of these companies may also be members of the Network Advertising Initiative (“NAI”). To learn more about the NAI and your opt-out options for their members, see http://www.networkadvertising.org/choices/. Please be aware that, even if you are able to opt out of certain kinds of Interest-based Advertising, you may continue to receive other types of ads. Opting out only means that those selected members should no longer deliver certain Interest-based Advertising to you but does not mean you will no longer receive any targeted content and/or ads (e.g., from other ad networks). Also, if your browsers are configured to reject cookies when you visit these opt-out webpages, or you subsequently erase your cookies, use a different device or web browser or use a non-browser-based method of access (e.g., mobile app), your NAI / DAA browser-based opt-out may not, or may no longer, be effective. We support the ad industry’s 2009 Self-regulatory Principles for Online Behavioral Advertising (https://www.iab.com/wp-content/uploads/2015/05/ven-principles-07-01-09.pdf) and expect that ad networks we directly engage to serve you Interest-based Advertising will do so as well, though we cannot guaranty their compliance. We are not responsible for the effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs.

In addition, we may serve ads on third-party services that are targeted to reach people on those services that are also identified on one of more of our data bases (“Matched List Ads”). This is done by using Tracking Technologies or by matching common factors between our databases and the databases of the third-party services. For instance, we may use such ad services offered by Facebook or Twitter and other Third-Party Services. We are not responsible for these Third-Party Services, including without limitation their security of the data. If we use Facebook to serve Matched List Ads on Facebook services, you should be able to hover over the box in the right corner of such a Facebook ad, or go to your account settings, and find out what options Facebook offers you to control such ads. If we use Twitter Matched List Ads, you should be able to review your ad options in account settings on Twitter. We are not responsible for such third parties’ failure to comply with your or our opt-out instructions. Additionally, they may not give us notice of opt-outs to our ads that you give to them, and they may change their options without notice to us or you.

We may occasionally update this Privacy Policy.

We reserve the right to change this Privacy Policy from time to time consistent with applicable privacy laws and principles. If we make material changes, we will notify you of the changes through the Flix website or through other means, such as email. To the extent permitted under applicable law, by using our Services after such notice, you consent to our updates to this Privacy Policy.

We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices.