1. About Rail Staff Travel

(RST) is part of the Rail Delivery Group. RST provide rail staff travel

facilities for you and your eligible dependants as current or former employees of the rail

industry. Eligibility uses various criteria based upon your career history and other relevant

details.

 

Rail Staff Travel Limited (RST, we, our or us) is a trading name of Rail Staff Travel Limited, a company registered in England and Wales under company number 03069020 whose registered office is at 200-202 Part Second Floor Aldersgate Street, London, EC1A 4HD. Rail Staff Travel Ltd.

 

2. About this privacy policy

This privacy policy applies to the personal data we collect about you through our website (www.railstafftravel.com) (Website). For Rail Staff Travel’s full Privacy Notice, see https://www.raildeliverygroup.com/rst/rst-privacy.html

This privacy policy may change from time to time and, if it does, the up-to-date version will always be available on this Website. We will also tell you about any important changes to our privacy policy.[SM1]

3. What personal data do we collect about you?

This section informs you of what information we collect about you and why. Personal data means any information about an individual from which that individual can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
 

Identity Data includes first name, surname, Unique User ID.

Contact Data includes billing address, delivery address, postcode, email address and telephone numbers.

Financial Data includes payment card details which are tokenised.

Transaction Data includes details as to your journeys, details about payments to and from you and other details of products and services you have purchased from us.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

Profile Data includes your username and password, purchases or orders made by you, any interests communicated to us to enable the personalisation of services, travel preferences.

Usage Data includes information about how you use the Website, products, and services.

 

4. How is your personal data collected?

We already hold data on you to enable us to issue rail staff travel facilities to you and your eligible family members. In addition to this, we use different methods to collect data from and about you including through:

 

Direct interactions:

We collect personal data about you if you fill in forms on the Site.

This includes information you provide when you:
 

register to use our Website

buy train tickets or reserve seats

 

Automated technologies or interactions:

If you use our Website, we automatically collect the following information:
 

web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform; and

information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our Website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).

Where we collect information about you in the ways described above, we do so on the basis that it is in our legitimate interests to collect and process this data. In most situations this will be anonymised but we collect and process this data to ensure that our site is functioning properly and that our customer experience is to the standard that you and we expect.

The Website may, from time to time, contain links to and from the websites of advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

We also use cookies on our Website. Please see section 12 for more information.

No automated decision-making or profiling will take place using your personal data.


 

5. Purposes for which we will use your personal data

This section explains how we will use personal data you provide to us in order to carry out the activities relevant to the provision of our services to you.

We must have a legal basis for processing your personal data. We consider that we have a legal basis where:
 

you have given us consent to do so for the specific purposes which we have told you about - for example, we will need your consent to process any health information you provide to us, such as information relating to mobility;

it is necessary for us to do so to enable us to provide you with the services that you have requested from us - for example, contacting you about your journey;

it is necessary in order to fulfil our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or

the law otherwise permits or requires it.

Where we process your personal data on the basis of our legitimate interests, these are our (or our third party’s) interests in providing our services to you in an efficient and secure manner.

We have set out below a list of all the ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

In some cases we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data. Please contact us in section 13 if you have any queries about the specific legal basis that we rely on for processing your personal data.

 

What we use your personal data for (purpose)

•           To register you as a new customer

•           To manage our relationship with you which will include:

(a) notifying you about changes to our Website, services, terms, or privacy policy;

•           To administer and protect our business and the Website (including training our employees, troubleshooting, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data)

•           To establish, exercise and defend our legal rights

 

6. Communications

This section is to explain how we will ensure that you only receive communications that you wish to receive:
 

Service communications:

As detailed in the table at section 6, we may send you communications such as those which relate to any service updates (e.g. service disruption.) We consider that we can lawfully send these communications to you as we have a legitimate interest to do so, namely, to effectively provide you with the best service we can.

Marketing communications:

We will never send marketing communications to you.

7. Who will have access to your personal data?

This section is to explain who within RST will have access to your data. Your personal data will only be seen or used by our employees who have a legitimate business need to access your personal data for the purposes set out in this privacy policy.

8. Who else might we share your personal data with?

This section will inform you of who we share your personal data with and why. Except as explained in this privacy policy, we will not share your personal data without your consent unless required to do so by law.

 

We currently will supply your data to one or more of these fulfilment houses:

Fast Line Ticketing. They will not have access to your personal data, as they use an App that consumes our data source and only print the label and send.

The policy that we apply to those organisations to keep your data safe and protect your privacy is that:

• We provide only the information required to perform the specific service.

• They may only use your data for the exact purposes we specify to them[SM2] .

• When the specific rail staff travel facility production has been completed, they destroy the data we had provided and confirm that they have done so

• If we stop using their services, any of your data held by them will be deleted immediately.[SM3]

The IT companies that support our database and other business systems may have access

to your data in order to maintain our systems. These are:

iBlocks Ltd

Worldline

These companies have security measures in place which comply with GDPR.

 

Sharing your data with third parties for their own purposes:

 

We will only do this in very specific circumstances, for example:

• For fraud management, we may share information about alleged fraudulent activity that involves the use of rail staff travel facilities. This may include sharing data about individuals with law enforcement bodies, TOCs and Transport for London. The data disclosed may also include journey data where this is available (e.g. if you have a smartcard).

•  To assist employers with any disciplinary investigations where data is requested. This could include providing journey data from smartcards. This can only be requested by the named contact that Rail Staff Travel has for the company.

• We may also need to share your information with a regulator or to otherwise comply with the law.

 

We may also be required to disclose your data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take your privacy into consideration.
 

Additionally we may share your personal data with the following third-parties who assist us with administering the provision of our services to you:
 

analytics and search engine providers that assist us in the improvement and optimisation of our site;

agents we engage to perform functions on our behalf including fulfilling order deliveries, repaying compensation claims for delay, sending customer communications, analysing data, processing payments, They have access to personal data needed to perform their functions, but may not use it for other purposes.

We may also pass Aggregated Data on the usage of our site (e.g. we might disclose the median ages of visitors to our site, or the numbers of visitors to our site that come from different geographic areas) to third parties but this will not include information that can be used to identify you personally.

9. How do we protect your personal data?

This section explains how we keep your personal data safe and where it will be held.

We take your privacy seriously and are committed to maintaining the privacy and security of the personal data you provide to us, and the choices you have regarding our collection and use of your personal data.

Once we have received your personal data, we follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised access.

Any payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. You should not share this information with anyone.

If our UK based servers fail, we will need to use our ones in the USA.
Where your personal data is transferred from the UK to a recipient outside the UK in a country not recognised by the United Kingdom as providing an adequate level of protection for personal data, such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data including but not limited to Standard Contractual Clauses (the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries.[SM4] 

Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.

10. How long do we keep your personal data?

This section explains the length of time that we will retain your personal data.

We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. For your online account, your account will be deleted two years after you last signed into it.

 

All booking data is removed automatically 14 months after the booking is completed.

 

11. What are your rights?

This section explains that you have a number of rights in relation to your personal data. There are circumstances in which your rights may not apply. You have the right to request that we:
 

provide you with a copy of the information we hold about you;

update any of your personal information if it is inaccurate or out of date;

delete the personal data we hold about you - if we are providing services to you and you ask us to delete personal data we hold about you then we may be unable to continue providing those services to you;

restrict the way in which we process your personal data;

stop processing your data if you have valid objections to such processing; and

transfer your personal data to a third party.

For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us using the details provided in section 13. We will respond to all such requests within the time period required by law. Occasionally it may take us longer, if your request is particularly complex, you have made a number of requests or you have not supplied the information we need to respond to you. In this case, we will notify you and keep you updated.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

12. Cookies

The Website uses cookies. Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website. For more information please see our Cookies Policy.

13. Who can you ask for more information?

If you have any questions or concerns about how we handle your personal data, you can contact us using any one (or more) of the following:

Post: Data Protection Partner Rail Staff Travel, PO Box 72071, London, EC1P 1JD

Email: rst@raildeliverygroup.com

 
Alternatively, if you want to exercise your rights you can do so online at:

 

https://privacyportal-eu-cdn.onetrust.com/dsarwebform/9b3b1acc-9f1b-4f29-b26a-0e42305da169/48b24b68-bc8d-4051-a5b4-37eb3278610b.html

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your data, you have the right to lodge a complaint with the Information Commissioner’s Office. You can contact them by calling 0303 123 1113. Or go online to www.ico.org.uk/concerns (opens in a new window; please note we are not responsible for the content of external websites). If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.

Cookie policy

Last updated: November 2021

This policy explains how our website uses cookies.

What is a cookie?

Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website.

Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device.

Cookies in themselves do not identify you, just the computer or device you are using. Cookies do lots of different jobs, like making it easier for you to log onto, and use, our site during future visits, letting you navigate between pages efficiently, remembering your preferences, and generally improving your experience. They also allow us to monitor traffic on our site and can also help to ensure that advertising you see online is more relevant to you and your interests.

Cookies themselves only record which areas of our site have been visited by your computer or device and for how long. Allowing us to create a cookie does not give us access to the rest of your computer, and does not allow us to see any personally identifiable data about you.

Types of Cookies

We've arranged the Cookies we use into three groups:

a) Required cookies: These Cookies are necessary for core features of this site to operate properly. Because they are needed for the site’s operation, they are always set to "Active". They include, for example, cookies that enable you to log into secure areas of our website or make a purchase.

b) Functionality cookies: These Cookies allow us to analyse site usage in order to evaluate and improve its performance. They are also used to provide a better user experience on the site, such as by measuring interactions with particular content or remembering settings.

Cookies we use

You can find more information about the individual cookies we use and the purposes for which we use them in the table below. If you choose not to accept any Functionality cookies or your browser is not compatible with our cookie preference tool we will only use Required cookies.
 

         sess_track, A unique randomly generated id to track a user’s action within a session. Used for sticky load-balancer sessions (primary purpose), and analytics (secondary purpose).

         perm_track, A unique randomly generated id to track a user’s action across sessions. Used for fraud detection (primary purpose), and analytics (secondary purpose).

         ASP.NET_SessionId, Microsoft.net generated token, used to recognise a user and tie their session data to their interactions with the web server. Without this cookie the site does not function. Strictly Necessary

         WebTisLogin, this cookie only contains logged in flag and items in basket.

         SecureToken, SSL-only cookie, containing unique randomly generated ID. This is used for session validation in the secure areas of the website. Without the cookie, the site will not allow purchases to be made.

         WebTISToken, This contains a unique token used by remote partners (such as marketing pages) to obtain information for site personalisation that was previously contained in WebTisUser and WebTisLogin cookies. This is only present when user is logged in.

         WebTISPersonalisation, This contains a unique token used by remote partners (such as marketing pages) to obtain information for site personalisation that was previously contained in WebTisUser cookie. This is present when user has been logged in, and persists is user chooses “remember me” (If the user chooses “Remember me”, this cookie is issued to expire on 1st Jan 2100; if not, it is issued as a session cookie.)

         ExperienceCookie, session cookie, contains an indicator to set the version of the site displayed for the user.

         MobileCookie, session cookie, contains an indicator to set whether mobile or desktop view is in use.

Changing cookie settings

When visiting our website for the first time on a device you will see a cookies banner explaining that we use cookies, why we use them and providing a link to this document. This banner gives you a settings option for our website. If you click on this, you can turn certain cookies on and off. You can access these settings and change your choices at any time in the future by clicking on the Cookies Settings link at the top of our website pages. Please be aware that if you turn cookies off certain features of our website will not work.

In addition, with most Internet browsers, you can erase or block cookies or ask to receive a warning before a cookie is stored. The “Help” function within your browser should tell you how. Alternatively, you may wish to visit the following sites:

www.aboutcookies.org
www.allaboutcookies.org

The sites above contain comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies.

Please be aware that restricting cookies may have a negative impact on the functionality of the Website.

Cookies that have been set in the past

If you have disabled one or more Functionality cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using any disabled cookies to collect any further information.