KISS Shuttle Mobile App — Privacy Notice
Effective date: May 13, 2026 | Last updated: May 13, 2026
This Privacy Notice explains what information the KISS Shuttle Services mobile application ("the App") collects, how that information is used, and the choices you have. The App is provided by KISS Products, Inc. ("KISS," "we," "us," or "our") to authorized KISS employees for the sole purpose of operating the KISS employee shuttle service.
1. Scope of this Notice
This Notice applies only to the KISS Shuttle mobile application distributed through the Apple App Store and Google Play Store under the identifier com.kiss.shuttleservices, and to its supporting backend services operated by KISS at smartoffice.kissusa.com.
It does not apply to:
- The KISS consumer website at kissusa.com, which is governed by the KISS Privacy Policy.
- Any other KISS application, system, or service.
If anything in this Notice conflicts with the consumer KISS Privacy Policy with respect to the App, this Notice controls.
2. Who May Use the App
The App is restricted to active KISS employees and contingent workers who have been enrolled in the KISS employee shuttle program. Access requires authentication with your KISS-issued Microsoft work account (Microsoft Entra ID / Azure AD). The App is not directed to, and may not be used by, the general public, members of an employee's household, or any individual under 18 years of age.
3. Information the App Collects
We collect only the information necessary to operate the shuttle service. Specifically:
3.1 Information from your KISS work account
When you sign in with Microsoft, the App receives the following from your KISS Microsoft Entra ID account:
- Your work email address (user principal name).
- Your display name.
- Your Microsoft Entra user identifier.
- An access token, refresh token, and ID token issued by Microsoft.
3.2 Information from your device
| Type | When it is collected | Why |
|---|---|---|
| Precise device location (GPS) — Drivers | Continuously, in the foreground, while you are operating an active shuttle trip. | Route the trip, share the bus's live position with passengers on that route, and produce trip records. |
| Precise device location (GPS) — Riders | Only while the live trip map is open. | Show your position relative to the bus on the map. |
| Camera | Only when you actively open the in-App QR scanner at boarding. | Decode the boarding QR code. No image, video, or photo is captured, stored, or transmitted. Only the decoded text from the QR code is processed. |
| Push notification token (Firebase Cloud Messaging registration token) | Once at sign-in, and whenever the token changes. | Deliver shuttle reminders and operational notifications to your device. |
Operating system and device model (e.g. iOS-17.5, Android-14) |
At sign-in. | Diagnose device-specific issues and route push notifications correctly. |
| Crash and error diagnostics (Firebase Crashlytics) | When the App encounters a fatal native crash, an unhandled JavaScript exception, or a non-fatal error our developers have explicitly tagged for reporting. | Diagnose and fix bugs and stability issues. The report includes the stack trace of the error, the App version, OS version, device model, available memory and disk space at the time of the crash, the in-App breadcrumb log of recent operational events, and a randomly generated Crashlytics installation identifier. It also includes your KISS shuttle user ID and role (driver / admin / rider) so KISS engineers can correlate crashes with your enrolled session. It does not include your name, email, Microsoft tokens, password, location coordinates, or any image or QR content. |
3.3 Information generated by your use of the App
- Your shuttle enrollment status, tier, and role (rider, driver, admin) as recorded in the KISS shuttle backend.
- Your trip reservations, boarding events, and trip history.
- Your acknowledgment of any required commute responsibility waiver.
- Session identifiers and authentication cookies issued by the KISS shuttle backend, stored locally on your device.
- Application logs containing operational events (e.g. login success/failure, push registration result). These logs do not include passwords, Microsoft tokens, or your precise location coordinates.
- Application logs containing operational events (e.g. login success/failure, FCM registration result, network errors). These logs do not include passwords, Microsoft tokens, or your precise location coordinates. A subset of these logs (the recent breadcrumb trail at the time of an error) is transmitted to Firebase Crashlytics together with crash reports as described in Section 3.2.
3.4 Information we do not collect
To be explicit about practices that do not apply to the App:
- We do not collect background location. Location is only collected while the App is open and a relevant screen (driver trip view, passenger map) is in use.
- We do not collect or store images, video, audio, faceprints, or any other biometric data.
- We do not collect contacts, calendars, photos, files, SMS, call logs, health, fitness, or financial information.
- We do not use third-party advertising SDKs. We do not show ads in the App.
- We do not use third-party analytics SDKs. Firebase Analytics is disabled in our build. The App uses Firebase Crashlytics solely to receive automated crash and non-fatal error reports; Crashlytics is a diagnostics service operated by Google and is described in Sections 3.2 and 5.2.
- We do not use session-replay, heatmap, or behavioral-tracking tools.
- We do not sell your personal information.
- We do not share your personal information for cross-context behavioral advertising or "targeted advertising" as those terms are defined under U.S. state privacy laws.
- We do not process personal information to make decisions that produce legal or similarly significant effects about you (no automated decision-making or profiling).
4. How We Use Your Information
We use the information described above only for the following purposes:
- Authentication and access control — to confirm that you are an authorized KISS employee enrolled in the shuttle program.
- Providing shuttle service — to display schedules, accept reservations, route drivers, share the bus's live position with riders, verify boarding via QR scan, and record trip events.
- Operational notifications — to send you reminders, schedule changes, cancellations, and similar service-related messages by push notification.
- Service operation and security — to maintain reliability, diagnose crashes and bugs through Firebase Crashlytics (Section 3.2), prevent unauthorized access, and protect the safety of riders and drivers.
- Compliance and recordkeeping — to maintain trip and waiver records required by KISS internal policy, applicable tax, employment, and transportation laws.
We do not use your information for any other purpose without first notifying you and, where required by law, obtaining your consent.
5. How Your Information Is Shared
We share information only as described below.
5.1 KISS internal systems
The App communicates with the KISS shuttle backend at smartoffice.kissusa.com, which is operated by KISS and accessible only to authorized KISS personnel responsible for the shuttle program.
5.2 Service providers
| Provider | What they receive | Purpose |
|---|---|---|
| Microsoft (Microsoft Entra ID / Microsoft Graph) | Your sign-in attempt and the data described in Section 3.1. | Authenticating you to the App. Microsoft processes this data under your KISS-issued Microsoft 365 / Entra tenant and is governed by the Microsoft Product Terms and the Microsoft Privacy Statement. |
| Google (Firebase Cloud Messaging) | Your FCM device token and the content of push messages we send you. | Delivering push notifications to your device. Governed by Google's terms for Firebase services and the Google Privacy Policy. |
| Google (Firebase Crashlytics) | Crash and non-fatal error reports as described in Section 3.2, plus a Crashlytics installation identifier and your KISS shuttle user ID. | Receiving and aggregating App crash reports so KISS engineers can diagnose and fix bugs. Governed by Google's terms for Firebase services and the Google Privacy Policy. Crash report data is processed in Google's infrastructure, which may include locations outside the United States. |
| Apple (Apple Push Notification service) — iOS users only | A device push token and message payloads. | Delivering push notifications to iOS devices. Governed by the Apple Privacy Policy. |
5.3 Other riders and drivers
While a trip is active, a driver's live bus position and trip status are visible in the App to riders authenticated to that route. A rider's identity is not visible to other riders.
5.4 Legal and safety
We may disclose information when we reasonably believe it is necessary to:
- Comply with a valid subpoena, court order, or other legal process.
- Investigate or respond to a security incident, fraud, or violation of KISS policy.
- Protect the rights, property, or safety of any KISS employee, KISS, or the public.
5.5 Corporate transactions
If KISS is involved in a merger, acquisition, reorganization, or sale of assets, information held by the App may be transferred as part of that transaction, subject to the protections of this Notice.
We do not sell your personal information and we do not share it with advertisers or data brokers.
6. Where Your Information Is Stored
The App's backend is hosted in the United States. Microsoft and Google process the limited data described in Section 5.2 in their own infrastructure, which may include locations outside the United States.
7. How Long We Keep Your Information
| Information | Retention |
|---|---|
| Local tokens and cookies on your device | Until you sign out, uninstall the App, or your tokens expire (Microsoft refresh tokens last up to 90 days). |
| Account and enrollment records on the backend | While you are an enrolled shuttle user, plus two (2) years after deactivation, per KISS records retention policy. |
| Trip records (reservations, boardings, completed trips) | Two (2) years, for operational reporting and compliance. |
| Application server logs containing your user ID | Ninety (90) days. |
| Push notification tokens | Until the token is replaced by your device or you uninstall the App. |
| Firebase Crashlytics crash and error reports | Ninety (90) days, after which Google deletes them per Firebase's standard retention. KISS engineers may export individual reports during that window for bug-fix purposes; exported copies are retained no longer than necessary to resolve the issue. |
8. How We Protect Your Information
We use administrative, technical, and physical safeguards designed to protect the information described in this Notice, including:
- All network traffic between the App and the KISS backend is encrypted in transit using HTTPS / TLS.
- Authentication relies on your KISS Microsoft Entra ID account; the App does not store a separate password for you.
- Access to backend administrative functions is limited to authorized KISS personnel.
- The App requests only the minimum operating-system permissions required for its features.
No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
9. Your Choices
You can manage the App's access to your data at any time:
- Stop using the App. Sign out from the App's menu, then uninstall it from your device.
- Revoke specific permissions. In your device's system settings, you can disable Location, Camera, or Notifications for the KISS Shuttle App. Some features will not work without these permissions (e.g., drivers cannot operate trips without Location; QR boarding requires Camera).
- Stop receiving push notifications. Disable notifications for the App in your device's system settings.
- Withdraw from the shuttle program. Contact GA@kissusa.com. Your shuttle role will be removed and your access to the App will be deactivated.
10. Your Privacy Rights
Depending on where you reside, you may have the following rights with respect to the personal information described in this Notice:
- Access — request confirmation of the personal information we hold about you in connection with the App, and a copy of it.
- Correction — request correction of inaccurate personal information.
- Deletion — request deletion of personal information, subject to legitimate retention obligations described in Section 7.
- Portability — receive a copy of your personal information in a portable, machine-readable format.
- Non-discrimination — we will not retaliate against you for exercising any of these rights.
To exercise any of these rights with respect to the App, contact GA@kissusa.com. Please include "KISS Shuttle App" in the subject line so your request reaches the right team. We will respond within the time required by applicable law.
The App does not sell or share personal information for cross-context behavioral advertising and does not process sensitive personal information for purposes of inferring characteristics, so opt-out controls for those activities are not applicable.
If you are a California employee, the use of personal information in connection with your employment-related access to the shuttle program is also addressed in the KISS Employee Privacy Notice / Notice at Collection, which is available from KISS Human Resources.
11. Children
The App is not directed to children. We do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have collected information from a person under 18, we will delete it.
12. International Users
The App is designed for KISS employees in the United States. If you access the App from outside the United States, you understand that your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.
13. Changes to This Notice
We may update this Notice from time to time. If we make a material change, we will notify enrolled shuttle users by in-App notice, push notification, or email at the address associated with your KISS work account. The "Effective date" at the top of this Notice indicates when it was last revised. Your continued use of the App after the effective date of a revised Notice constitutes acceptance of the changes.
14. Contact Us
For questions about this Notice or about how the KISS Shuttle App handles your information:
- Email: GA@kissusa.com — please include "KISS Shuttle App" in the subject line.
- IT support for the App: ithelpdesk@kissusa.com
- Postal mail:
Kiss Products, Inc.
Attn: Privacy — KISS Shuttle App
25 Harbor Park Drive
Port Washington, New York 11050
United States