- These products, services, websites and apps are referred to collectively as “services” in this policy.
- Where abbreviated, “GDPR”, refers to the General Data Protection Regulation.
- We will only collect and process your personal data in accordance with Data Protection Legislation and we will adhere to the principles (as applicable) contained within GDPR.
- We collect and process your personal data to comply with our legal obligations; to pursue our legitimate interests as a business and where you have given us consent to do so.
The Information We Collect
- We collect personal data in order to be able to provide you with our services.
- To access some of our services, e.g. Mobile Ticketing in the NCTX Buses App, topping up an Easyrider card or viewing “Favourites”, you must register for an account.
- The types of personal data we collect are: name, postal address, email address, date of birth, telephone number, social media handle
- We collect usage information about you whenever you interact with our website and apps. This includes the pages you have visited, what you click on, your device settings, how you arrived on our website etc.
- We collect information from your device and the application you use to access our services. Device data includes your IP address, operating system version, device type, system and performance information and browser type. If you are using a mobile device, we also collect the UUID for that device.
- Some services make use of location data sent from a customer’s device. You can turn this functionality off at any time by turning off the Location Settings on your device.
- We use third party tracking services that employ cookies to collect data about visitors to our websites and apps. This data includes usage and user statistics. Please refer to our Cookies Policy below.
- Our web servers keep log files that record data each time a device accesses those servers. The log file contains data about the nature of the access, including (but not exclusively): originating IP addresses, internet service providers, files viewed, operating system versions, device type and time stamps, choice of language, page you enter and exit the website.
- If you make a payment to Nottingham City Transport, we require you to provide your name, address, email address and financial details. These financial details can include your card number, issue and expiry date, CVC number, account name and number and sort code.
- We record all calls made to our Travel Centre (0115 950 60 70) and use a suppression facility when personal data (e.g. bank card details) are passed.
How We Use the Information We Collect
- We process personal data about you, with your consent or in order to improve our services and develop new products and features.
- Information collected from use of our websites and apps is used to allow us to track the most visited and most useful parts of those services; to identify what are our most popular services; to deliver these services effectively, to troubleshoot problems, fix bugs, monitor abuse, track behaviour (aggregated / anonymously) to understand trends and to develop new features.
- Information provided by you for the creation of an account is required so we can provide you with our services, charge you for our services, provide you with customer support and contact you about our services or account.
- We use contact information to respond to customer queries, send customers information as part of providing the services and to send marketing information. Customers can opt out of receiving marketing information.
- We use a customer’s email address to send them marketing newsletters, unless you opt out of general updates on your account or by clicking “unsubscribe”
- We occasionally contact customers about matters that are of a ‘transactional nature’, which includes service-related announcements, payment, changes to policies or services, welcome email, notification of a Direct Debit payment change. You cannot opt out of these communications because they are required to provide our services to you.
- Information collected when using our On Bus Wi-Fi is outlined under the section headed “Wi-Fi”.
- We collect information using Cookies to ensure full functionality of the services provided; to determine the success of our advertising campaigns and to measure the performance of email messaging to improve email deliverability and open rates. Please refer to our “Cookies” section of this policy.
- To manage our services, we will use your information and data internally to enforce Terms and Agreements; to prevent illegal activities; to screen for abuse of services and to improve our products and services (anonymised).
- To respond to legal requests or to prevent fraud, we may need to use and disclose information or data we hold about you to the Police or Home Office.
- As a result of the data we collect, we profile this information with third party sources, which enables us to make our sales and marketing more relevant to you and to personalise our marketing campaigns and website experiences. You can view their Privacy Policies below:
|Passenger Technology Group||https://www.discoverpassenger.com/privacy-policy/|
Information We Share
- In order to provide certain aspects of our services, we use trusted key partners for:
- Customer email distribution
- Provision of our websites and apps
- Facilitating customers making payments through our websites and apps
- Delivering and tracking marketing and advertising
- Tracking web conversions
- We have written Agreements with all of our trusted partners that cover data protection and privacy and they must demonstrate to us that they are GDPR compliant on a routine basis.
- Trusted partners currently used are: Ambidect, Campaign Monitor, Facebook, Global Iris, Icomera, Page One Media, Passenger Technology Group, Stripe, Twitter, We are Base. You can view their Privacy Policies below:
|Passenger Technology Group||https://www.discoverpassenger.com/privacy-policy/|
|Page One Media||https://pageonemedia.co.uk/website-privacy-notice/|
|We are Base||https://wearebase.com/cookie-policy/|
- We are a participant in the Robin Hood Travel Scheme and information relating to travel use is provided to the administrators of that Scheme, Nottingham City Council, in order for customers to be charged the appropriate price and for NCT to be paid for the appropriate customers carried.
- We provide a Staff Travel Scheme with employers, that enables employees to pay for their travel through their salary. Your employer will share with us with your details in order for you to join and leave the scheme.
- Any personal data, not relating to clauses 31 and 32, that is shared with third party organisations will be anonymised.
- We also have to share information or data in order to:
- Meet applicable laws and regulations
- Comply with Police and Home Office requests
- Enforce policies and agreements
- Detect, prevent and address fraud, security or technical issues
- Cookies are small bits of data stored on the device you use to access our websites or apps, which are used to recognise repeat users.
- Collecting data about how customers interact and use our services
- Make our websites and apps easier to use e.g. staying signed in for when you revisit the site
- Security reasons e.g. to authenticate your identity
- Provide you with customised content e.g. favourite stops, journeys, buses
- Improve our services
- Advertise to you, either directly or through trusted third parties
- The Cookies we use are:
|Visitor Tracking||__utma, __utmb, __utmc, __utmt, __utmz, _ga||Google Analytics cookies are used to collect information about how visitors use our website. This information is used to help us improve the way the website works. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they have visited.||Performance and Analytical|
|Cookie Test||wordpress_test_cookie||This is a cookie that is set by the site to make sure that you have chosen to accept cookies. It collects no other data and has no other function.||Performance|
|User Logged in State||wordpress_logged_in||This is a cookie that is set by the site to record the your logged in state across sessions. It is only set if the user logs in and is removed when they log out.||Performance|
|Geography and Timezones||wp-settings-1
|These cookies contain information about your geographic location. They have no impact on your user experience and store no personal information.||Performance and Analytical|
|Hide Latest Disruptions||__hide_latest_disruptions||This cookie is set when hiding the disruptions alert that appears at the top of pages. It will set the date at the current time and ensure you do not see any further disruptions until there are new ones. It collects no other data and has no other function. It expires after 7 days.||Performance|
|Web Form Security||csrftoken||This cookie is designed to help protect a site against at particular type of software attack on web forms.||Performance|
|Redirect to current page||wordpress_redirect||This cookie allows us to return you to the same page you are currently viewing after logging in.||Performance|
|Nctx.co.uk cookies||cfduid||This is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. For example, if the visitor is in a coffee shop where there are a bunch of infected machines, but the specific visitor’s machine is trusted (e.g. because they’ve completed a challenge within your Challenge Passage period), the cookie allows us to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.||Performance|
|Nctx.co.uk cookies||PHPSESSID||Anonymous cookie to help keep track of a user’s session||Analytical|
|New Relic cookies||SESSIONID||This helps us keep the website stable and monitored.||Performance|
|Facebook Pixel Cookies||sb, fr||Uses Facebook Pixel to anonymously track Facebook users to allow us to serve relevant and targeted ads.||Analytical|
- You can choose to remove or disable Cookies through your browser settings at any time.
NCTX Buses App
- Nottingham City Transport and Passenger Technology Group act as joint Data Controller for personal data gathered from our apps. This means the responsibility for data protection is shared between both parties, though Nottingham City Transport is the point of contact for data subjects, as outlined under “Your Rights and Contact Us”.
- We take our responsibility to protect and secure your information seriously.
- All personal data is securely stored within data centres inside the European Economic Area.
- We provide training to staff on how to recognise a data breach and all data breaches are evaluated within 48 hours. Data breaches are managed under GDPR regulations and logged in a Data Breach Log and reported to the Information Commissioner’s Office where applicable.
- You are responsible for maintaining the security of your account, user names, passwords and personal details when using our services on your device.
- You are responsible for ensuring that your device is operating to the latest operating versions and with appropriate security measures in place.
- We regularly review operating systems and browsers and implement new security measures as they are released. To ensure we can protect your data, we routinely stop supporting older browsers and operating systems and you should ensure you are using a supported version, which for the main browsers are:
- IOS – 9 or above
- Android – KitKat (4.4) or above
- Internet Explorer – V11 or above
- Safari – 9 or above
- Chrome – 40 or above
- We retain data in order to be able to effectively provide our customers with services and for the business to function.
- Personal data is removed where possible or anonymised if the record entity is required (for example, for accounting purposes or trends analysis).
- Data is securely erased and/or deleted, using approved software or collection services. This follows industry best practices, for example the use of paper shredding and computer file shredding software.
- Retention periods for key data we collect and process are outlined below:
|Type of Data||Retention Period|
|Relating to an account on our websites or apps||
Until you notify us you wish to close the account of use the “Forget me” function to delete it
|Easyrider Travel Card||
Until you notify us you no longer require the card
|Customer Query or Complaint||
2 years, unless required to defend legal cases, where it will be retained as necessary.
|On Bus CCTV||
28 days before it is recorded over
Personal injuries (adults) – 4 years
Personal injuries (under 16) – until their 21st birthday plus 3 months
Internal investigations and customer complaints – 3 months or until the necessary processes have been completed and the images no longer required
Circumstances that may result in litigation – until the matter is closed
|Paper receipts for purchases in the Travel Centre||
Online transaction information
|5 years from the end of the tax year to which the records relate|
|Telephone call recordings||
|Information submitted through the website or apps feedback channels||
|Records relevant for tax purposes||8 years from the end of the tax year to which the records relate|
|On Bus Wi-Fi||12 months|
EU – US Privacy Shield
- We comply with the US-EU Privacy Shield Framework regarding the collection, use and retention of personal data that may be subject to onward transfer to organisations within the US.
- In certain circumstances, Passenger Technology Group will process personal data that originates from the EU in the United States. Passenger Technology Group provide a level of protection of privacy that complies with the EU rules. To ensure this, Passenger Technology Group only use vendors certified under the Privacy Shield.
Photography and Filming
- We sometimes take photographs or undertake filming on and off our buses or in our Travel Centre in order to market and promote the Company.
- Where photography or filming is taking place, you must express to the photographer at the time you do not want to be included.
- Where photography or filming is taking place with pre-arranged models or customers, a Photography Agreement must be completed, which will outline the purpose of the shoot, the intended use of the images or filming and the period for which they will be used and retained.
- Our preferred photography agency uses a secure, online data storage facility to transmit their photographs and films to NCT.
- We are subject to rules and privacy laws when marketing to our customers. For example, a Data Subject’s prior consent will be required for electronic direct marketing (for example, by email, text or automated calls).
- The limited exception for existing customers known as “soft opt in” allows us to send marketing texts or emails if we have obtained contact details in the course of a sale to you (through the NCTX Buses App or purchase of an Easyrider or Uni ID card product), we are marketing similar products or services, and we give you the opportunity to opt out of marketing when first collecting the details and in every subsequent message.
- You can opt out of receiving our marketing emails by pressing the Unsubscribe link included on all of our emails.
- Your objection to direct marketing will be promptly honoured and when a customer opts out at any time, their details will be supressed as soon as practicable. Suppression will involve retaining minimal information to ensure that marketing preferences are respected in the future.
On Bus Wi-Fi
- Our on-bus Wi-Fi is provided by a third party, Icomera UK Limited, who collect and process the personal data on our behalf as a data processor, in order to deliver internet connectivity to customers and other end users.
- To be able to provide the Wi-Fi service for you, we need to process your MAC address (device identification), train GPS position, IP address, timestamp and session ID. This data will be stored in our systems for a maximum period of 12 months and will only be used to maintain the service quality and for support issues, if necessary
- During the user login process, your device ID (MAC-address) is used to authenticate the device after the Terms and Conditions have been accepted. The Terms and Conditions can be viewed here. The MAC-address is stored with associated timestamps, accounting and duration of the session, in order to offer functions such as throttling, auto-login and session termination.
- Icomera, in their role of Data Processor, will sometimes process additional information on behalf of Nottingham City Transport, but will not associate any MAC-address with additional personal data and will process it in accordance with GDPR regulations.
- Under other legislations (e.g. Telecommunication Acts, Surveillance Acts, Terror Acts) Icomera may be required to store information for a longer period than necessary for the delivery of the service, and perform additional processing activities if requested by law enforcements through legal due process.
- Nottingham City Transport has CCTV installed on the interior and exterior of all buses and within the Travel Centre and will use the images for the following purposes:
- Public and employee safety
- Road traffic collision and accident investigation
- The detection, prevention and investigation of crime
- External complaints and internal reports of claims of irregularities
- To ensure compliance with company policies and procedures
- Performance management
- Staff training
- A notification sign is placed in the vicinity of the cameras so that customers are aware that they are entering an area covered by CCTV.
- CCTV footage is viewed only in relation to the purposes outlined in clause 65 and by Directors and Managers of Nottingham City Transport and employees who work in our Insurance, Customer Services and Schools Liaison Teams.
- CCTV footage is retained for:
- Personal injuries (adults) – 4 years
- Personal injuries (under 16) – until their 21st birthday plus 3 months
- Internal investigations and customer complaints – 3 months or until the necessary processes have been completed and the images no longer required
- Circumstances that may result in litigation – until the matter is closed
- You have the right to access personal data about yourself, including CCTV images and footage.
- Images and footage will only be provided upon receipt of a Subject Access Request and the provision of suitable ID to confirm the identity of the person requesting this footage. You can request a Subject Access Request Form by writing to the CCTV Supervisor, Nottingham City Transport, Lower Parliament Street, Nottingham, NG1 1GG or by emailing [email protected]
- If we cannot comply with the request, the reasons for not being able to do so will be documented and you will be advised of these reasons in writing.
Your Rights and Contact Us
- You may make a formal request for access to personal data that we hold about you at any time. This is known as a Subject Access Request (“SAR”). We must respond within one month of receipt of your request. Please note that under the GDPR we are permitted to extend the one month time period for responding by an additional two months where in our view your request is complex or numerous in nature. We may also charge a reasonable fee based on administrative costs where, in our view, your request is manifestly unfounded or excessive or a request for further copies. Alternatively, we may refuse to comply with the request in such circumstances.
- You have a right to ensure that the personal data we hold about you is corrected where it is inaccurate; is erased where it is no longer required and is transferred to another person upon your request. We will honour your requests relating to these matters.
- Our Marketing Manager is responsible for overseeing the day to day operation of the functions outlined within this policy (except CCTV) and queries relating to it and Subject Access Requests should be directed to [email protected] or to the Marketing Manager, Nottingham City Transport, Lower Parliament Street, Nottingham, NG1 1GG.
- You may complain to a supervisory body if you are concerned about the way we have processed your personal data. In the UK this is the ICO – ico.org.uk
- Subject to clause 19, you can opt out of receiving direct marketing materials from us by contacting [email protected] and asking to be withdrawn from the mailing list.
- When you wish to close a website or app account or stop using an Easyrider travel card, notify us by contacting [email protected] or if you have a ‘My Easyrider’ account, using the “Forget Me” link available.
- You can choose to remove or disable Cookies through your browser settings at any time.
Changes to this Policy: