Effective: 18 May, 2018
At Loco2, we are serious about your privacy and security. We believe in being open and transparent about how we collect and use your data.
Loco2 sells train tickets, not information. We don’t sell your Personal Data to anyone, and when we share data with third-parties it’s only to improve your experience of using Loco2.
- Data We Collect And Receive
- How We Gather Data
- How We Use The Data We Collect
- Data Retention
- How We Share And Disclose Information
- How We Use Information
- Where We Store Your Personal Data
- Age Limitations
- Your Rights
- Data Protection Authority
- Contacting Loco2
This policy applies when Loco2 acts as a data controller; that is when we decide the purposes and means of processing the Personal Data of our users. In this role, we may share your data with third parties to improve your experience of using Loco2.
When we refer to “Loco2”, we mean the Loco2 entity that acts as the controller or processor of your information, as explained in more detail in the “Identifying the Data Controller and Processor” section below.
In this policy, "we", "us", "our" and “Loco2” refer to the company Loco2 Ltd.
References to “you”, “your” or “user”, refers to private individuals or professionals who use our Service.
“App(s)” and “Application(s)” refer to our mobile applications for iOS (iPhone or iPad) and Android.
“Operators” refers to several rail and road operators. We sell tickets on their behalf to provide our Service.
Data We Collect And Receive
We collect and receive information, including “Personal Data”, in various ways when you use our Service and Application(s), and “Other Information” to supply, analyse and improve our Service:
“Personal Data” means any information which, either in isolation or in combination with other information, identifies you as an individual. Examples of Personal Data include your name, date of birth, address, e-mail address, telephone number, and billing information.
“Other Information” means information which cannot be used, either in isolation or in conjunction with other generic data, to identify you as an individual. It includes information such as IP addresses, device ID, and referring domains.
We provide you choices that allow you to opt-out or control how we use and share your data.
- If you have a Loco2 account, you can access privacy controls via the communication preferences settings in your account. By using the privacy controls, you can opt out of direct marketing communications. You can also request the deletion of your account via account settings.
- If you have previously used Loco2 as a guest, it is possible to create an account at any time with the same email address in order to access privacy controls or request the deletion of your account and associated Personal Data.
- If you do not hold a Loco2 account, you can unsubscribe from Loco2’s email marketing at any time by clicking the unsubscribe link in any of our emails. You can also contact us to request the removal of other data.
How We Gather Data
Information You Provide to Us
We collect information, including Personal Data, which you provide to us directly. This information is actively provided by you in order to access specific features of our Service, or make ticket bookings. For example:
- We collect your email address when you create a booking alert.
- We collect various Personal Data when you use our Service to place an order, including your name, email address, billing address and, in the case of tickets delivered by post, your delivery address. In some cases, when requested by Operators, we collect your date of birth and/or passport number.
- When you create an account or change the details associated with your account, we collect your first and last name, email address, and a password (which is encrypted)
- If you don’t have a Loco2 account or place an order with an email address that is not associated with an existing account, then any purchases you may make will not appear in your account history. Each purchase made outside your account is considered an independent purchase, and we register it as such each time. The Personal Data you provide when making a purchase without an account will be dealt with in the same way as in all other transactions.
- As part of providing our Service, we collect and securely process financial data via a software integration with a third-party payments service provider. Most of this information (including payment card data) is stored only with the third-party payments service provider and cannot be accessed by Loco2 staff.
- If you contact us, we keep a record of that correspondence which may include your name, email address and details of your order/s, and any other information you share with us via email.
In addition to your Personal Data, we may collect the Personal Data of other named individuals that you provide to us when you use our Service. For example, the names of your fellow passengers.
By using our Service, you confirm that the information you enter about yourself and any other passengers is accurate and that when you are submitting Personal Data belonging to anyone other than yourself you have the consent of those people, or parental or guardian consent for any person child under 16 years of age.
Information we automatically collect
We collect and receive Other Information when you use our Service in order to improve your experience of using Loco2.
This may include details of your visits to our Site or Apps, IP address, browser type and operating system, referring URLs, location data, device ID, weblogs and other communication data. We use Other Information gathered in this way for anonymised aggregate data analysis about how people use our Service, and in some cases to provide more targeted marketing/advertising.
- We may collect and process anonymous information about your use of our Service, for example, the pages you visit and searches you perform.
- We may use anonymous data to provide, update, maintain and protect our Services and business for example to prevent errors, security or technical issues, analyse and monitor usage, trends and other activities.
- We may receive browsing data that includes an IP address, the address of the web page visited before using Loco2, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.
- We may receive device information including the type of device, the operating system being used, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Information often depends on the type of device used and its settings.
- We receive Other Information that helps us approximate your location which can inform internal market research and trend analysis, and to tailor marketing (e.g. to show messages in your preferred language). For example, we may use an IP address received from your browser or device, or the country contained in your billing address to determine approximate locations.
- Your device ID, location and your IP address are collected by a third-party service provider as part of the payment process as a fraud prevention measure
We may also share anonymous information about your use of our Service with third-parties sub-processors for analytical purposes. Please see the information about How we share information in the Cookies Policy for more information.
How We Use The Data We Collect
We may use your data for our legitimate interests, namely:
- To operate our Services: When you book and pay for tickets we use the information you provide on our Site and Apps to supply tickets via commercial agreements we hold with Operators.
- To send emails and other communications. We may send you service, transactional and other administrative emails e.g. booking confirmation, ticket on hold expiration warnings. This may include other types of communications (e.g. text messages to inform you of a delay to a train). We may also contact you to inform you about changes in our Service and important notices, such as security and fraud notices. These communications are considered part of our Service and you may not opt out of them.
- To communicate with you when you contact us. Our customer support team may communicate with you to troubleshoot problems or answer questions you may have about your account, tickets or payment, in order to help you.
- To send marketing emails and other communications. We send emails about new product features, promotional communications or other news about Loco2 to people who are subscribed to our mailing list. These are marketing messages so you can control whether you receive them.
- To offer tailored services. We promote our Service to you via advertising as well as with promotional emails for those who consent to receive them. To ensure our Service is relevant to you, we analyse your habits so we can propose offers which fit your interests.
- To collect payments. When you buy a ticket, we use payment services that are provided by other companies to process your bank or other types of transaction (e.g. PayPal, Apple Pay). This enables us to send you transactional emails, payment receipts and alerts in case of any glitches with your bank.
- To improve our Service. We collect information on how you use our Service through cookies and share this information with third-party analysis tools, like Google Analytics. Please refer to our Cookies policy for more information on our use of this technology.
- For internal statistics or surveys. We may use your data to generate statistics on our users or ask you to participate in our own surveys.
- To combat fraud.
This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our obligations in relation to the retention and deletion of Personal Data.
Notwithstanding your right to request the removal of your data, we will retain your Personal Data as follows:
- (a) When you add a ticket to your basket (but do not proceed to purchase), we retain Personal Data that you have entered (name, date of birth, passport number, email address) for a maximum period of 6 weeks from the date it was created.
- (b) When you create an account, we retain any Personal Data that you have entered (your name, email address, saved passengers etc) unless you ask us to delete it.
- (c) When you purchase a ticket, we retain any Personal Data that you have entered (name, date of birth, passport number, email address) unless you ask us to delete it.
- (d) When you create a booking alert, we use your email address to notify you when tickets come on sale only (you are not subscribed to any marketing emails). We may retain your email address to carry out aggregate trend analysis that helps us understand how people use Loco2 and to improve our Service (we will never use your email address for marketing purposes unless you explicitly consent to this).
We may retain certain Personal Data indefinitely unless you request its deletion. For example, we don’t automatically delete inactive user accounts if they contain an order, so unless you choose to delete your account, we will retain your account information.
How We Share And Disclose Information
We may disclose your personal information to any member of our group, which means our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may disclose your personal information to third parties:
- If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply our Website Terms and Conditions or Booking Terms and Conditions and other agreements; or to protect the rights, property, or safety of Loco2 Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- To gather feedback about our Service, detect and log bugs or report crashes and issues in our Site and Apps and to carry out trend analysis to improve your experience of using Loco2.
- In the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets.
- If Loco2 Limited or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its customers will be one of the transferred assets.
We will not disclose your information to any third party for any marketing purposes unless we obtain your consent. If you do give consent for us to share any details, you can exercise your right to prevent any such processing by opting out.
Our Site and Apps may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites.
How We Use Information
We don’t sell your Personal Data to anyone, and when we share data with third-parties it’s only to improve your experience of using Loco2. The following examples explain the most common instances in which we use information:
- For ticket sales and reservations: We collect and share some Personal Data with Operators because they need them to issue your ticket, or send you a ticket directly. For example, in order for us to obtain an e-ticket for Eurostar on your behalf, we must transmit your name, surname, and date of birth to Eurostar. For Thalys, we share your email address so the rail operator can send your ticket to you directly, as Thalys currently requires. Without sharing this data, it would not be possible for us to provide our Services to you. In any case, we only transmit what is required by the rail operator, nothing more.
- For travel alerts and disruption: We may also share your email address or telephone number with rail operators who provide travel alerts, so they can contact you in limited circumstances. For example, if your Eurostar train is cancelled, Eurostar may notify you by email and suggest alternative travel plans.
With service providers
We use some third-party service providers and partners to support our business and perform tasks that are required to deliver our Service or to improve your Loco2 experience. For example, we use a payment provider to process payments securely and an email service provider to send transactional emails. Other third parties, for example, provide virtual computing and data storage services.
With Corporate Affiliates and/or the authorities
Loco2 may share some data with its corporate affiliates, parents and/or subsidiaries. The confidentiality of your data and your rights in relation to your data will always be respected. We may also be legally obliged to share some data with the police or customs authorities, or government or administrative agencies, for example for purposes of fraud prevention.
With social networks
If you choose to create an account on our website using your Facebook or Twitter account, you may be subject to the privacy policies of these companies in addition to this policy. These functionalities are based on cookies, which can collect information about you such as your IP address, or the pages you visit. Loco2 cannot control the actions of Facebook or Twitter and we cannot answer for the information you supply to us through the intermediary of these social networks.
Where We Store Your Personal Data
Loco2 may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards if Loco2 transfers Personal Data originating from the European Union or Switzerland to other countries not deemed adequate under applicable data protection law:
European Union Model Clauses
Loco2 adopts European Union Model Clauses to meet the adequacy and security requirements for your Personal Data where it is transferred outside the EEA for example if it processed by staff operating outside the EEA who work for us.
E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.
Loco2 ensures that any third-party service providers we appoint are certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to enable companies to comply with data protection requirements when transferring Personal Data from the European Union and Switzerland to the United States. To learn more about the Privacy Shield Program, please see http://www.privacyshield.gov/welcome.
Loco2 takes the security of your data very seriously. We do our utmost to preserve your Personal Data and prevent it from being stolen, damaged or misrepresent
All information you provide to us is stored on secure servers. All payment transactions are encrypted using Secure Sockets Layer (SSL) technology, which encrypts information you input.
SSL technology is used to pass data over a secure connection to our payment service provider who processes card payments made through the site on our behalf. Loco2 never sees or stores financial information you supply via payment forms.
If you have created an account and password to access parts of our site, you are responsible for keeping this password confidential. We ask you not to share your Loco2 password with anyone. All passwords you provide to us are encrypted on our servers and cannot be accessed by Loco2 staff. If you lose your password, there is no way for Loco2 to resend it. You can, however, reset it at any time on our site or apps.
We use strict procedures and security features to try to prevent unauthorised access. Unfortunately, the transmission of information via the internet is not completely secure. Loco2 cannot guarantee that Information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others.
In the event of a breach of Personal Data, Loco2 will comply with its obligations to notify the relevant supervisory authority for our processing activities and inform affected individuals without undue delay
To the extent prohibited by applicable law, Loco2 does not allow the use of our Services by anyone younger than 16 years old. If you learn that anyone younger than 16 has unlawfully provided us with Personal Data, please contact us and we will take steps to delete such information.
If your travelling party includes travellers under the age of 16 years old, the adult using our Service is responsible for obtaining parental or guardian consent for the provision of Personal Data (typically limited to name and date of birth) and any related data processing activity.
To the extent that Loco2’s processing of your Personal Data is subject to the General Data Protection Regulation, Loco2 relies on its legitimate interests, described above, to process your data.
Individuals located in certain countries, including in the European Economic Area (EEA), have statutory rights in relation to their Personal Data. Subject to any exemptions provided by law, you may have the right to request access to the Personal Data we hold, as well as to seek to update and correct it, or request its deletion.
- You can inspect the Personal Data we hold in your Loco2 account.
- It is possible to update or correct your Personal Data within your Loco2 account.
- You can request the deletion of your Personal Data within Settings of your Loco2 account. Your Personal Data will be removed from Loco2 and any third-party apps that we may have shared it with within 30 days of the request, or within 30 days of any future travel dates.
If you didn't sign up for an account when you placed an order, creating an account at any time will enable you to view any bookings that are associated with the same email address and access account settings.
If you cannot use the settings and tools for any reason, contact our customer support team for assistance.
Loco2 may retain some Personal Data after you have deactivated your account where such retention is necessary for compliance with a legal obligation to which we are subject, for example for financial reporting or to conduct audits, comply with (and demonstrate compliance with) legal obligations or resolve disputes, or in order to protect your vital interests or the vital interests of another person.
If you consent to us using your Personal Data for marketing purposes we may also send your marketing communications, and you have a right to revoke consent for Loco2’s use of your Personal Data for this purpose. You can unsubscribe from Loco2’s email marketing at any time by clicking the unsubscribe link in any of our emails, or by using the settings and tools provided in your Loco2 account.
Data Protection Authority
Subject to applicable law, you also have the right to (i) request the erasure of any Other Information that may constitute Personal Data held by Loco2 and (ii) lodge a complaint with your local data protection authority or the UK’s Data Protection Commissioner, which is Loco2’s lead supervisory authority in the European Union.
If you are a resident of the European Economic Area and believe we fail to maintain your Personal Data within the scope of the General Data Protection Regulation (GDPR), you may direct questions or complaints to our lead supervisory authority:
- Information Commissioner's Office (ICO)
- Wycliffe House
- Water Lane
- Wilmslow, Cheshire SK9 5AF
- Telephone: +44 (0)303 123 1113
- Live chat
To communicate with our Data Protection Officer, please email us and mark your email "for the attention of the Data Protection Officer".
For the purpose of the Data Protection Act 1998 (“the Act”), the data controller is located at our registered office:
- Loco2 Limited
- c/o Brachers
- Somerfield House
- London Road
- Kent, ME16 8JH