Privacy Policy

Traveline Website and App Privacy Policy 

This Privacy Policy explains:

  • What personal data we collect from you when you use our Traveline website and app.
  • How we will collect and use that information;
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

The data controller is:

Traveline Information Ltd. 22 Greencoat Place, London, SW1P 1PR. Registered in England with Company number 03826797

You can contact the Data Protection Officer by email [email protected] or in writing to Traveline Information Ltd. 22 Greencoat Place, London, SW1P 1PR

What does this policy cover?

This policy describes how Traveline Information Limited (also referred to as “TIL”, "we" or "us") will make use of your data when you browse our website, use our app or other services provided by TIL. TIL is the controller of your personal data.

It also describes your data protection rights, including a right to object to some of the processing which TIL carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.

What information do we collect?

We collect and process personal data about you when you interact with us and our website or app. Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows. This includes:

  • Identity Data includes first name, last name, username or similar identifier,
  • Contact Data includes email address and telephone numbers.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website or app.
  • Profile Data includes your username and password, your interests, preferences, feedback, survey responses, travel details and proof of journey.
  • Usage Data includes information about how you interact with and use our website, app, products and services.
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

How is your personal data collected?

  • Your interactions with us. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    • create an account on our website or app;
    • subscribe to our service or publications;
    • request marketing to be sent to you; or
    • give us feedback or contact us.
  • Automated technologies or interactions. As you interact with our website or app, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our cookie policy for further details.
  • Third parties or publicly available sources. We will receive personal data about you from various third parties as set out below]:
  • Technical Data is collected from the following parties:
  • analytics providers such as Google based outside the UK;
  • search information providers [such as [NAME] based [inside OR outside] the UK].

How do we use this information, and what is the legal basis for this use?

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

  • Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
  • Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
  • Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/UseType of dataLegal basis 
To register you as a new customer

(a) Identity

(b) Contact

Performance of a contract with you
To send you relevant marketing communications and make personalised suggestions and recommendations to you about travel and services that may be of interest to you based on your Profile Data.

(a) Identity 

(b) Contact

(c) Technical 

(d) Usage 

(e) Profile 

(f) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business)

(c) Consent, having obtained your prior consent to receiving direct marketing communications.

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Dealing with your requests, complaints and queries

(a) Identity 

(b) Contact 

(c) Profile 

(d) Marketing and Communications

(a) Performance of a contract with you 

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)

To use data analytics to improve our website, products/services, customer relationships and experiences and to measure the effectiveness of our communications and marketing

(a) Technical 

(b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To send you relevant marketing communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you based on your Profile Data

(a) Identity 

(b) Contact 

(c) Technical 

(d) Usage 

(e) Profile 

(f) Marketing and Communications

(a) Necessary for our legitimate interests (to carry out direct marketing, develop our products/services and grow our business)

(b) Consent, having obtained your prior consent to receiving direct marketing communications

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity

(b) Contact

(c) Technical

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

In connection with legal claims, compliance, regulatory and investigative purposes (including disclosure of such information in connection with legal process or litigation)

(a) Identity

(b) Contact

(c) Profile

(d) Technical

(e) Usage

Necessary to comply with a legal obligation

To carry out market research through your voluntary participation in surveys

(a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

Necessary for our legitimate interests (to study how customers use our products/services and to help us improve and develop our products and services).
To enable you to partake in a prize draw, competition or complete a survey

(a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

Our Legitimate Interests

Operating our organisation in a safe and socially and environmentally responsible manner, efficiently, to provide information about sustainable and high quality, locally and nationally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our colleagues, provide and improve customer services.

Direct marketing 

You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving the marketing.

We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which products, services and offers may be of interest to you so that we can then send you relevant marketing communications. 

Third-party marketing 

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes. 

Opting out of marketing 

You can ask to stop sending you marketing communications at any time by at any time by logging in to your account and updating your preferences or by contacting us at [email protected].

If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes for example relating to updates to our Terms and Conditions, checking that your contact details are correct.

Cookies

For more information about the cookies we use and how to change your cookie preferences, please see our Cookie Policy.

Sharing or disclosure of your information

We will only share or disclose your information as set out in this Policy or in accordance with Data Protection Law and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. We may share or disclose information for the following reasons:

  • We use data processors to provide or assist with some of our services. Where we do so, they must agree to strict contractual terms and to keep your data secure.
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body, ADR or appeals service, or local authorities;
  • If you have agreed to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose.

You can find out more below about the information we collect and how we use, share or disclose it.

Who will we share this data with, where and when?

We share your personal data with our web and App supplier, Passenger Transport Group, so that they can provide services.

Public Transport Operating Companies and Local Authorities

If you provide feedback about your travel experience, we may share this with the relevant Public Transport Operating Company and/or Local Authority so they can improve the service they provide. Public Transport Operating Companies and/or Local Authorities may retain your details beyond your use of our app.

Required by law

For purposes which are required by law, in response to requests by government or law enforcement authorities conducting an investigation.

Other data sharing

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.

Personal data will also be shared with third party service providers, who will process it on behalf of TIL for the purposes identified above. Such third parties include providers of website hosting, app development and app and website maintenance.

Links to other websites 

We may provide hyperlinks from the website or app to websites of third parties. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the website or app. These links are provided for your convenience only and do not imply that or recommends the content of such websites. We encourage our users to be aware when they leave our site to read the privacy statements of each and every website that collects personally identifiable information. This Privacy Policy applies solely to information collected by Traveline Information Limited.

Recording of calls

To ensure that we have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

International transfers 

The information that we collect from you will only be stored in the UK or a country which Data Protection Law deems provides an adequate level of protection (“permitted countries”) or, where it is necessary to disclose it to our processors located outside the permitted countries, other jurisdictions where appropriate legal and security safeguards are in place. Please contact the Data Protection Officer if you wish to find out more about the safeguards.

Information Security

We use a range of technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

What rights do I have?

Right of access

You have the right to ask us for a copy of your personal data. We may need to ask for some further information, such as checking who you are. Our Customer Services team will email you a form, which will help us deal with your request more efficiently. Please let us know if you want to receive the information electronically or in a machine-readable format.

We aim to get the information to you without undue delay and within 30 days. If we have any trouble with this timeframe, we will let you know within 30 days and explain what the problem is. Sometimes we may hold information that we don’t have to provide, for example if it would prejudice a police investigation or contains someone else’s personal data.

In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free or provided below under the heading ‘How we deal with rights requests’.

Rectification/Restriction

If you believe the information we hold about you is inaccurate or incomplete, you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification or objection or a dispute over the lawfulness of processing is being considered.

We will provide a response confirming the action we have taken or disagree with taking within 30 days or provide a response within 30 days if the matter is complex and a further time is needed.

Deletion

This is also known as the “Right to be forgotten”, you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing.

We will provide a response to you without undue delay and within 30 days, confirming whether/what personal data we have deleted and/or explaining why we don’t agree that some data does not need to be deleted.

Withdrawal of Consent

If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw your consent by contacting us directly, or by contacting our data protection officer. Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time, as above or where available updating your preference centre or clicking on the appropriate link in the communication.

We will comply with your request without undue delay and within 30 days.

Objection

You also have a right to request that no further processing takes place in relation to some grounds of processing, such as for direct marketing.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.

We will respond to your request without undue delay and within 30 days, confirming the action we will or won’t take.

Request to transfer to you or a third party

You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

The right may be restricted if it is not practical for us to provide the information in this way or it adversely the rights of others.

If we are able to provide your personal data in this way, we will do so in 30 days or we will let you know within 30 days if we require more time or there are any issues with carrying out the request

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping.

Exercising your rights 

To exercise any of these rights, you can get in touch with us – or our Data Protection Officer – using the details set out above. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or where you believe a breach may have occurred. In the UK, this will be the Information Commissioner’s Office.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

How we deal with rights requests

We will try to deal with your request without undue delay and at least within 30 days. In exceptional circumstances, we may need to extend the time to respond fully, if the request is particularly complex or there are multiple requests. But we will let you know within 30 days.

We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in Data Protection Law - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

Complaints

If we don’t respond to within 30 days of your request or you are not happy with our response you can lodge a complaint with the Information Commissioner Office or issue legal proceedings against us.

We hope that we can satisfy queries you may have about the way we process your data. If you are not satisfied with the way in which we have handled your complaint or rights request then you can contact the Data Protection Officer, at [email protected] or by writing to 22 Greencoat Place, London, SW1P 1PR.

If you are not satisfied with the response you can complain to the ICO. Their contact details are:

Head Office
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

https://ico.org.uk/global/contact-us/

You also have the right to seek a judicial remedy, issue legal proceedings against us.

How long will you retain my data?

Where we process registration data, as outlined in the ‘What information do we collect’ section of this policy, this may include your email address, password, preferences, and other personal or usage information you provide to us, as well as information we collect automatically when you use our services., we do this for as long as you are an active user of our sites and for 6 years after this.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.

Where we process personal data for site security purposes, we retain it for 6 years.

We keep information collected from cookies and other trackers for 6 years.

Where we process personal data in connection with ticket purchases, we keep the data for 6 years from your last interaction with us.

Changes to the privacy policy and your duty to inform us of changes 

We keep our privacy policy under regular review. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

Ends