Privacy Policy                                                                              

Last updated: 17/9/2018

The Settle-Carlisle Railway Development Company is committed to protecting and respecting your privacy.

This notice together with our Website Terms and Conditions and any other documents referred to in it sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by The Settle-Carlisle Railway Development Company or our processing partners.  Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting https://www.settle-carlisle.co.uk/ or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.

 

1. Who is responsible for your data?

For the purpose of the Data Protection Act 1998 (the “Act”), depending on the services used the data controller is either The Settle-Carlisle Railway Development Company and Arriva Rail North Ltd (“Northern”), and the data processor is Assertis Ltd (TrainGenius.com), Colourmedia Solutions Ltd, Java Productions and Briggs Brothers Ltd.

Individuals are advised that when using the “Website” those pages with a web address prefixed by https://www.settle-carlisle.co.uk/ these pages are managed by The Settle–Carlisle Railway Development Company  as the data controller, (a company registered in England and Wales with registration number 2679394 and registered to The Settle-Carlisle Railway Development Company Limited, Town Hall, Market Place, Settle, North Yorkshire. BD24 9EJ).

Individuals are advised that when using the “Website” those pages with a web address prefixed by www.northernrailway.co.uk these pages are managed by Northern as the data controller, (a company registered in England and Wales with registration number 04337712 and registered to 1 Admiral Way, Doxford International Business Park, Sunderland SR3 3XP).

Individuals who purchase tickets through the link to TrainGenius at www.settle-carlisle.co.uk are advised that transactional pages prefixed https://traingenius.com are managed by TrainGenius.com, which is the trading name of Assertis Ltd.  “TrainGenius.com” as the Development Company’s data processor and issuer of train ticket(s) (a company registered in England and Wales with a registration number of 04040155 registered to Globe House, Eclipse Park, Sittingbourne Road, Maidstone, ME14 3EN).

Individuals who purchase tickets from Northern are advised that when using the “Booking Service” – transactional pages prefixed by www.buytickets.northernrailway.co.uk – these pages are managed by Trainline.com Limited “Trainline” as Northern’s data processor and issuer of train ticket(s) (a company registered in England and Wales with a registration number of 03846791 and registered to 120 Holborn, London, EC1N 2TD).

References to “Settle-Carlisle Railway”, “The Settle-Carlisle Railway Development Company”, “Northern”, “Northern Railway” “we” “us” or “our” and they can also refer to our data processor Assertis Ltd (TrainGenius.com), Trainline.com Ltd (“Trainline”), Colourmedia Solutions Ltd, Java Productions of 22 Fairfax Road, Bingley, BD16 4DR and Briggs Brother Ltd, 1 Cononley Business Park, Cononley, BD20 8LG.

 

2. What personal data do we collect?

Information provided by you

You may give us information about you by filling in forms on https://www.settle-carlisle.co.uk/, www.northernrailway.co.uk, or contacting The Settle-Carlisle Railway Development Company or Northern Customer Experience Centre (CEC). This includes information you may provide, but is not limited to the following activities:

• Register and consent to receive marketing information
• Register to purchase a railcard
• Enter a competition
• Provide answers to a promotion or survey
• Report a fault or problem with Northern station(s) or train(s)
• Report a fault or problem with the settle-carlisle.co.uk or northernrailway.co.uk websites
• Make a complaint or enquiry

The information you may give us may include, but it is not limited to the following:

• First name and last name
• Date of birth
• Address details including postcode
• Email address
• Phone number – mobile, home or work
• Disability details (Northern’s Passenger assistance)
• Bank details for compensation claims or group travel refunds
• Transaction meta data (e.g. journey details)
• Relevant rail discount or loyalty cards
• Limited amount of personal data of any other passengers you are booking tickets for
• Personal descriptions and photograph

Information you may provide via our website(s)                                                           

• Geographical location – you will be asked if you wish to provide your location
• IP or MAC address or details regarding use of your mobile device or PC

Analytics

We may collect and process anonymous information about your use of the Website or Booking Service, such as some of the pages you visit and some of the searches you perform. Such information is used by us to help us improve the contents of the Website or Booking Service and to compile, for internal market research purposes, aggregate statistics about individuals using it. This kind of anonymous information can be obtained by our use of “cookies” as well as other means. Please see Section 3, ‘Cookies’ for more information on our use of cookies. We may also share anonymous information about your use of the Booking Service with third parties for analytical purposes

Information we collect about you.

With regard to each of your visits to either https://www.settle-carlisle.co.uk/ or www.northernrailway.co.uk or if you register to use our Wi-Fi services we may automatically collect the following information:

• Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
• Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number

Information we receive from other sources.

We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them

Sensitive personal data.

We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data’ or ‘sensitive data’ (for example, information relating to any trade union membership, ethnic origin or health).

 

3. Cookies

Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our sites.

We use a number of different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.

The list below describes the cookies we use on this site and what we use them for. Currently we operate an ‘implied consent’ policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, or you should delete the cookies having visited the site, or you should browse the site using your browser’s anonymous usage setting (called “Incognito” in Chrome, “InPrivate” for Internet Explorer, “Private Browsing” in Firefox and Safari etc.)

First Party Cookies

These are cookies that are set by this website directly.

WordPress: Our website runs the popular WordPress Framework and cookies may be used to store basic data on your interactions with WordPress depending on how you use the website. We use a session cookie to remember your log-in for you if you are a registered user and we deem these as being strictly necessary to the working of the website. If these are disabled then various functionality on the site will be broken.

More information on session cookies and what they are used for is available at http://www.allaboutcookies.org/cookies/session-cookies-used-for.html

Third Party Cookies

These are cookies set on your machine by external websites whose services are used on this site.

You should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.

Google Analytics

Cookie Name: __utma

Cookie Name: __utmb

Cookie Name: __utmc

Cookie Name: __utmz

We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information. We therefore do not collect or store your personal information (e.g. your name or address) so this information cannot be used to identify who you are.

You can find out more about Google’s position on privacy as regards its analytics service at http://www.google.com/intl/en_uk/analytics/privacyoverview.html

Twitter

Cookie Name: K

Cookie Name: guest_id

Cookie Name: original_referer

Cookie Name: _twitter_sess

We embed feeds from Twitter on this site. Twitter may use cookies to better understand how you interact with their services, to monitor aggregate usage by Twitter users and web traffic routing to Twitter services.

For more information, visit Twitter’s Privacy Policy at https://twitter.com/privacy.

YouTube

Cookie Name: VISITOR_INFO1_LIVE

Cookie Name: use_hitbox

When you view a YouTube video embedded on our site YouTube will place cookies on your computer. YouTube uses cookies to help maintain the integrity of video statistics, prevent fraud and to improve the site experience they offer users.

For further details on the cookies set by YouTube, visit http://www.youtube.com/t/privacy_at_youtube.

 

The Northern Cookie Policy can be found at https://www.northernrailway.co.uk/legal/privacy-policy

 

4. How we use your personal data and the legal basis for such processing?

The collection of the personal data described in Section 2, “What personal data do we collect?” is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you.  Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will normally process your personal information only:

• Where we have your consent to do so
• Where the processing is necessary to perform our contract with you
• Where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms
• Where we have a legal obligation to process your personal information.

Information provided by you. We use your personal information as follows:

Purpose of processing	Legal basis for processing
Register for Railcard	Performance of a contract
Provision of your tickets to use our services	Performance of a contract
Fraud checks – automated	Performance of a contract related to Ticket purchase
Completion of forms for annual season ticket through the Northern corporate season ticket scheme	Performance of a contract
Suggestions, complaints and appeals	Performance of a contract
Claims for compensation and refunds	Performance of a contract
Franchise change information, For example if the Northern Franchise passes to the Government, another legal entity or operating company	Legal obligation
Northern’s Travel Assistance –  Journey Call	Legal obligation
CCTV and body worn cameras	Legal obligation for the prevention and detection of crime
Email and completion of rail travel surveys	Legitimate interest
Annual reminder of upcoming season ticket expiry for corporate season ticket scheme holders	Legitimate interest
Emails about service changes, such as timetable changes, engineering works or strike information	Legitimate interest
Corporate season ticket scheme e-newsletter updates and information	Legitimate interest
Messages to Northern or Settle Carlisle Railway via social media	Legitimate interest
Consent to receive marketing emails	Consent
Competition entries	Consent
Customer experience feedback and surveys	Consent

 

Information we collect about you. We use your personal information as follows:

Purpose of processing	Legal basis for processing
IP address to infer approximate location for our booking service (we will ask for permission to use this)	Legitimate interest to provide relevant journey information based on your current location – you will be asked to confirm via your browser if you wish this information to be known
Using your IP address for Fraud checks	Legitimate interest
Data related to your use of the Website or Booking Service through the use of cookies	Consent – Please see our Cookie Policy

 

Information we receive from other sources.

We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under Section 11, “Questions about this Privacy Policy”

 

5. Who do we share your information with?

We may disclose your personal data to the following categories of recipient for the purposes described in this Privacy Policy:

Third parties who process your personal data on our instructions

Service Providers

• We use third party service providers to carry out many of the activities listed in Section 4, “How we use your personal data and the legal basis for such processing”. This includes our ticket vendors TrainGenius.com and Trainline.com, newsletter and email campaign Colourmedia Solutions, for the posted newsletters designers, Java Productions and printers Briggs Brother Ltd
• Our service providers act on our instructions, and we ensure that they take measures to keep your personal data safe.
• Fraudulent payment detection.  Your payment data is used only for the transaction and your data is not retained any longer than is required for payment processing, fraud detection/prevention and auditing.  We do not store any credit/debit card information within this website
• We do not allow our service providers to use your personal data for any purpose other than carrying out the service in question, and we only provide them with those parts of your personal data that they actually need.
• All payments for ticket purchase through Visa and Mastercard are processed by Assertis Ltd and Trainline.com Limited as outlined in Section 1, “Who is responsible for your data?

Other UK Rail Operators

• Northern share your personal data with some operators for ticket fulfilment purposes
• Northern may share your email address or phone number with some operators so that they can contact you with service messages, for example if a train is cancelled.
• Northern may also need to share some of your personal data with any other transport carriers or other service providers who provide you with any part of the services that you’ve booked through us.

The Authorities

• In some circumstances we have a legal obligation to share parts of your personal data with police or customs authorities, regulatory authorities, government & law enforcement agencies. This may include, but is not limited to, fraud prevention and detection.

We may also disclose your personal data to any competent law enforcement body, regulator, government agency such as Rail North, the Department for Transport (DFT) or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person;

Other

• We may also transfer your personal data to a buyer or potential buyer (and its agents and advisers) of Trainline.com or TrainGenius.com in connection with any reorganisation, restructuring, merger or sale, or other transferring of assets provided that we inform any receiving party it must use your personal information only for the purposes disclosed in this Privacy Policy.
• The Northern franchise under arrangements with the Secretary of State for Transport and the franchise operations may pass to a successor operator. We may disclose your personal data to the relevant franchising authority and/or any successor operator and any successor operator must use your personal information only for the purposes disclosed in this Privacy Policy.
• We may disclose your data to any other person to whom you request us to make disclosure or if you consent to such disclosure.

 

6. Data Retention

We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer.

The table below explains in more detail how long Northern will store different types of customer information for:

Passenger Information
Passenger details (e.g., name, address of customer etc) (ii)  Current passengers   (ii)  Lapsed passengers	For the duration of the passenger’s registration with Northern and then for the period specified for lapsed passengers   For a period of 6 years following the end of the year in which you  last purchased Northern’s Services
Passenger data	For the duration of the passenger’s registration with the Customer and then for a period of 6 years following the end of the year in which the passenger last purchased the Customer’s services
Passenger consents to Customer terms and conditions	For the duration of the processing of the Personal Data and up to 6 years thereafter
Passenger service enquiries	3 years
Statistical reports/marketing data	6 years
Register of complaints	Review after 10 years
Correspondence and papers including emails	Review after 6 years (or 10 years if the documents relate to a complaint or investigation)
WiFi registration	Once you have created an account to use Northern’s WiFi services, then the account information you provide will be retained for a period of one year. At the end of the one year period you will be asked to re-confirm your details when you log in to use and if necessary update your details to continue receiving WiFi services.
Registration information
Prospective customers	If you have registered an account with Northern on www.northernrailway.co.uk but NOT purchased a ticket through our online Booking Service at www.northernrailway.buytickets.co.uk  then Northern will keep your account until you notify Northern that you no longer require your account or you purchase a ticket online. Once you purchase a ticket online using www.northernrailway.buytickets.co.uk then the information regarding customers (below) will apply.  Northern will review account information on an annual basis and we may contact you to ask if you still wish to retain your account.
Customers	If you have registered an account with Northern www.northernrailway.co.uk or their online Booking Service www.buytickets.northernrailway.co.uk and purchased a ticket online using www.buytickets.northernrailway.co.uk Northern will keep your account for up to six years following the end of the year in which you last purchased Northern’s Services
Marketing information
Marketing permissions and preferences	If you have given The Settle-Carlisle Railway Development Company or Northern permission to send email marketing messages to you then we will retain your marketing preferences until you notify us that you no longer wish to receive marketing emails by updating your marketing preferences by logging into your account and updating your preferences. We will review marketing preferences annually and may contact to you to ask if you wish to still continue receiving marketing emails.

 

7. Information Security

We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal.  All information you provide to us is stored on secure servers.

The Settle Carlisle Railway Development Company and Northern (as part of the Arriva plc Group), trains employees regarding data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role.  Steps to ensure that any service provider with whom we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.

 

8. Transferring Information Internationally

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident.  These countries may have data protection laws that are different to the laws of your country.

Specifically, Northern may use third party service providers located in Dublin, Frankfurt and the US. This means that, when they collect your personal information, it may be processed in these countries.  However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Policy.  These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information to our third-party service providers and further details can be provided upon request.

 

9. Updates to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make.  We will obtain your consent to any material Privacy Policy changes if and where this is required by applicable data protection laws.

You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy. 

 

10. Your Data Protection Rights

You have the following data protection rights:

• If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting The Settle-Carlisle Railway Development Company Ltd. If Northern hold your data, The Settle-Carlisle Railway Development Company Ltd will inform the Northern Data Protection Officer on your behalf.
• Please note: We retain personal information from deactivated accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, assist with any investigations, enforce our terms and conditions, and take other actions otherwise permitted by law. We may also retain some pseudonymous data for analytical purposes so we can understand, for example, how many visitors we have had to the Website or Booking Service.
• In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us at the Settle Carlisle Railway Development Company, Town Hall, Settle, BD24 9EJ, telephone 01729 825888
• If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

 

11. Questions about this Privacy Policy

If you have any question, concerns or complaints about this Privacy Policy or our handling of your personal data, you can contact us by email using [email protected] or by post to the following address:

The Settle-Carlisle Railway Development Company Limited
Town Hall
Market Place
Settle
North Yorkshire
BD24 9EJ

For queries about the train operating company’s privacy policy  you can contact Northern’s Data Protection Officer by email [email protected]

You have the right to complain to a data protection authority about our collection and use of your personal information.  If you are based in the European Economic Area, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries are available on the EU Commission’s website via the following link):http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm)

The controller of your personal data is The Settle-Carlisle Railway Development Company Ltd and Northern.

Note:  This web site contains links to other sites. Please be aware that we, the Settle Carlisle Railway Development Company, are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects personally identifiable information.