Customer Privacy Policy

This Customer Privacy Policy is effective from Tuesday 5 January 2021 and replaces the previous version, dated 18 March 2019.


  1. This Privacy Policy applies to all products, services, websites, apps and the Alexa Skill offered by Nottingham City Transport Limited, registered at Lower Parliament Street, Nottingham, NG1 1GG.
  2. These products, services, websites, apps and the Alexa Skill are referred to collectively as “services” in this policy.
  3. In addition to our Privacy Policy, customers should familiarise themselves with the following: NCT Terms and Conditions of Carriage; Easyrider Terms and Conditions of Issue; NCTX Buses App Terms and Conditions; Wi-Fi Terms and Conditions; Alexa Skill Terms of Use
  4. Where abbreviated, “GDPR”, refers to the General Data Protection Regulation.
  5. We will only collect and process your personal data in accordance with Data Protection Legislation and we will adhere to the principles (as applicable) contained within GDPR.
  6. We collect and process your personal data to comply with our legal obligations; to pursue our legitimate interests as a business and where you have given us consent to do so.

The Information We Collect

  1. We collect personal data in order to be able to provide you with our services.
  2. To access some of our services, e.g. Mobile Ticketing in the NCTX Buses App, topping up an Easyrider card or viewing “Favourites”, you must register for an account.
  3. The types of personal data we collect are: name, postal address, email address, date of birth, telephone number, social media handle
  4. We collect usage information about you whenever you interact with our services. This includes the pages you have visited, what you click on, your device settings, how you arrived on our website, search queries etc.
  5. We collect information from your device and the application you use to access our services. Device data includes your IP address, operating system version, device type, system and performance information and browser type. If you are using a mobile device, we also collect the UUID for that device.
  6. Some services make use of location data sent from a customer’s device. You can turn this functionality off at any time by turning off the Location Settings on your device.
  7. We use third party tracking services that employ cookies to collect data about visitors to our websites and apps. This data includes usage and user statistics. Please refer to our Cookies Policy below.
  8. Our web servers keep log files that record data each time a device accesses those servers. The log file contains data about the nature of the access, including (but not exclusively): originating IP addresses, internet service providers, files viewed, operating system versions, device type and time stamps, choice of language, page you enter and exit the website.
  9. If you make a payment to Nottingham City Transport, we require you to provide your name, address, email address and financial details. These financial details can include your card number, issue and expiry date, CVC number, account name and number and sort code.
  10. We record all calls made to our Travel Centre (0115 950 60 70) and use a suppression facility when personal data (e.g. bank card details) are passed.

How We Use the Information We Collect

  1. We process personal data about you, with your consent or in order to improve our services and develop new products and features.
  2. Information collected from use of our services is used to allow us to track the most visited and most useful parts of those services; to identify what are our most popular services; to deliver these services effectively, to troubleshoot problems, fix bugs, monitor abuse, track behaviour (aggregated / anonymously) to understand trends and to develop new features.
  3. Information provided by you for the creation of an account is required so we can provide you with our services, charge you for our services, provide you with customer support and contact you about our services or account.
  4. We use contact information to respond to customer queries, send customers information as part of providing the services and to send marketing information. Customers can opt out of receiving marketing information.
  5. We use a customer’s email address to send them marketing newsletters, unless you opt out of general updates on your account or by clicking “unsubscribe”
  6. We occasionally contact customers about matters that are of a ‘transactional nature’, which includes service-related announcements, payment, changes to policies or services, welcome email, notification of a Direct Debit payment change. You cannot opt out of these communications because they are required to provide our services to you.
  7. Information collected when using our On Bus Wi-Fi is outlined under the section headed “Wi-Fi”.
  8. We collect information using Cookies to ensure full functionality of the services provided; to determine the success of our advertising campaigns and to measure the performance of email messaging to improve email deliverability and open rates. Please refer to our “Cookies” section of this policy.
  9. To manage our services, we will use your information and data internally to enforce Terms and Agreements; to prevent illegal activities; to screen for abuse of services and to improve our products and services (anonymised).
  10. To respond to legal requests or to prevent fraud, we may need to use and disclose information or data we hold about you to the Police or Home Office.
  11. As a result of the data we collect, we profile this information with third party sources, which enables us to make our sales and marketing more relevant to you and to personalise our marketing campaigns and website experiences. You can view their Privacy Policies below:
Campaign Monitor
Passenger Technology Group
Amazon Alexa

Information We Share

  1. In order to provide certain aspects of our services, we use trusted key partners for:
    1. Customer email distribution
    2. Provision of our websites and apps
    3. Facilitating customers making payments through our websites and apps
    4. Delivering and tracking marketing and advertising
    5. Tracking web conversions
  1. We have written Agreements with all of our trusted partners that cover data protection and privacy and they must demonstrate to us that they are GDPR compliant on a routine basis.
  2. Trusted partners currently used are: Ambidect, Campaign Monitor, Facebook, Google, Global Iris, Icomera, Page One Media, Passenger Technology Group, Stripe, Twitter, We are Base, Inc and its affiliates. You can view their Privacy Policies below:
Campaign Monitor
Passenger Technology Group
Global IRIS
Page One Media
We are Base
Amazon Alexa
  1. We are a participant in the Robin Hood Travel Scheme and information relating to travel use is provided to the administrators of that Scheme, Nottingham City Council, in order for customers to be charged the appropriate price and for NCT to be paid for the appropriate customers carried.
  2. We provide a Staff Travel Scheme with employers, that enables employees to pay for their travel through their salary. Your employer will share with us with your details in order for you to join and leave the scheme.
  3. Any personal data, not relating to clauses 31 and 32, that is shared with third party organisations will be anonymised.
  4. We also have to share information or data in order to:
    1. Meet applicable laws and regulations
    2. Comply with Police and Home Office requests
    3. Enforce policies and agreements
    4. Detect, prevent and address fraud, security or technical issues


  1. Cookies are small bits of data stored on the device you use to access our websites or apps, which are used to recognise repeat users.
  2. We use cookies to collect data about visitors to our websites and apps, which optimises the functionality of these services. We use Cookies for the following main reasons:
    1. Collecting data about how customers interact and use our services
    2. Make our websites and apps easier to use e.g. staying signed in for when you revisit the site
    3. Security reasons e.g. to authenticate your identity
    4. Provide you with customised content e.g. favourite stops, journeys, buses
    5. Improve our services
    6. Advertise to you, either directly or through trusted third parties
  1. The Cookies we use are:







Anonymous cookie to help keep track of a user’s session


Cloudflare ID




This is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. For example, if the visitor is in a coffee shop where there are a bunch of infected machines, but the specific visitor’s machine is trusted (e.g. because they’ve completed a challenge within your Challenge Passage period), the cookie allows us to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.






Placed by Stripe to provide fraud protection when a user purchases a ticket using the website.

Visitor Tracking





Used by Google Analytics to preserve user sessions.

Cookie Message




Determines if the user has seen the cookie warning.


User Favourites



Stores the users Favourites (Timetables, Journey Plans, Stops)


  1. You can choose to remove or disable Cookies through your browser settings at any time.

NCTX Buses App

  1. Nottingham City Transport and Passenger Technology Group act as joint Data Controller for personal data gathered from our apps. This means the responsibility for data protection is shared between both parties, though Nottingham City Transport is the point of contact for data subjects, as outlined under “Your Rights and Contact Us”.


  1. We take our responsibility to protect and secure your information seriously.
  2. All personal data is securely stored within data centres inside the European Economic Area.
  3. We provide training to staff on how to recognise a data breach and all data breaches are evaluated within 48 hours. Data breaches are managed under GDPR regulations and logged in a Data Breach Log and reported to the Information Commissioner’s Office where applicable.
  4. You are responsible for maintaining the security of your account, user names, passwords and personal details when using our services on your device.
  5. You are responsible for ensuring that your device is operating to the latest operating versions and with appropriate security measures in place.
  6. We regularly review operating systems and browsers and implement new security measures as they are released. To ensure we can protect your data, we routinely stop supporting older browsers and operating systems and you should ensure you are using a supported version, which for the main browsers are:
    1. iOS – 10.0 and above (iPhone 5 is the oldest model supported)
    2. Android – 5 and above
    3. Android Wear - 2.0 and above
    4. Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari - We support the latest version of these browsers and they automatically update whenever a new version of the browser is available

Data Retention

  1. We retain data in order to be able to effectively provide our customers with services and for the business to function.
  2. Personal data is removed where possible or anonymised if the record entity is required (for example, for accounting purposes or trends analysis).
  3. Data is securely erased and/or deleted, using approved software or collection services. This follows industry best practices, for example the use of paper shredding and computer file shredding software.
  4. Retention periods for key data we collect and process are outlined below:
Type of Data Retention Period
Relating to an account on our digital services

Until you notify us you wish to close the account of use the “Forget me” function to delete it


Easyrider Travel Card

Until you notify us you no longer require the card


Customer Query or Complaint

2 years, unless required to defend legal cases, where it will be retained as necessary.



28 days before it is recorded over


Downloaded CCTV

Personal injuries (adults) – 4 years


Personal injuries (under 16) – until their 21st birthday plus 3 months


Internal investigations and customer complaints – 3 months or until the necessary processes have been completed and the images no longer required


Circumstances that may result in litigation – until the matter is closed


Paper receipts for purchases in the Travel Centre

18 months



Online transaction information


5 years from the end of the tax year to which the records relate
Telephone call recordings

12 months


Information submitted through the website or apps feedback channels

2 years



Records relevant for tax purposes 8 years from the end of the tax year to which the records relate
On Bus Wi-Fi 12 months


EU – US Privacy Shield

  1. This does not apply.
  2. All data is retained within the UK.

Photography and Filming

  1. We sometimes take photographs or undertake filming on and off our buses or in our Travel Centre in order to market and promote the Company.
  2. Where photography or filming is taking place, you must express to the photographer at the time you do not want to be included.
  3. Where photography or filming is taking place with pre-arranged models or customers, a Photography Agreement must be completed, which will outline the purpose of the shoot, the intended use of the images or filming and the period for which they will be used and retained.
  4. Our preferred photography agency uses a secure, online data storage facility to transmit their photographs and films to NCT.

Direct Marketing

  1. We are subject to rules and privacy laws when marketing to our customers. For example, a Data Subject’s prior consent will be required for electronic direct marketing (for example, by email, text or automated calls).
  2. The limited exception for existing customers known as “soft opt in” allows us to send marketing texts or emails if we have obtained contact details in the course of a sale to you (through the NCTX Buses App or purchase of an Easyrider or Uni ID card product), we are marketing similar products or services, and we give you the opportunity to opt out of marketing when first collecting the details and in every subsequent message.
  3. You can opt out of receiving our marketing emails by pressing the Unsubscribe link included on all of our emails.
  4. Your objection to direct marketing will be promptly honoured and when a customer opts out at any time, their details will be supressed as soon as practicable. Suppression will involve retaining minimal information to ensure that marketing preferences are respected in the future.

On Bus Wi-Fi

  1. Our on-bus Wi-Fi is provided by a third party, Icomera UK Limited, who collect and process the personal data on our behalf as a data processor, in order to deliver internet connectivity to customers and other end users.
  2. To be able to provide the Wi-Fi service for you, we need to process your MAC address (device identification), train GPS position, IP address, timestamp and session ID. This data will be stored in our systems for a maximum period of 12 months and will only be used to maintain the service quality and for support issues, if necessary
  3. During the user login process, your device ID (MAC-address) is used to authenticate the device after the Terms and Conditions have been accepted. The Terms and Conditions can be viewed here. The MAC-address is stored with associated timestamps, accounting and duration of the session, in order to offer functions such as throttling, auto-login and session termination.
  4. Icomera, in their role of Data Processor, will sometimes process additional information on behalf of Nottingham City Transport, but will not associate any MAC-address with additional personal data and will process it in accordance with GDPR regulations.
  5. Under other legislations (e.g. Telecommunication Acts, Surveillance Acts, Terror Acts) Icomera may be required to store information for a longer period than necessary for the delivery of the service, and perform additional processing activities if requested by law enforcements through legal due process. 


  1. Nottingham City Transport has CCTV installed on the interior and exterior of all buses and within the Travel Centre and will use the images for the following purposes:
  • Public and employee safety
  • Road traffic collision and accident investigation
  • The detection, prevention and investigation of crime
  • External complaints and internal reports of claims of irregularities
  • To ensure compliance with company policies and procedures
  • Performance management
  • Staff training
  1. A notification sign is placed in the vicinity of the cameras so that customers are aware that they are entering an area covered by CCTV.
  2. CCTV footage is viewed only in relation to the purposes outlined in clause 65 and by Directors and Managers of Nottingham City Transport and employees who work in our Insurance, Customer Services and Schools Liaison Teams.
  3. CCTV footage is retained for:
  • Personal injuries (adults) – 4 years
  • Personal injuries (under 16) – until their 21st birthday plus 3 months
  • Internal investigations and customer complaints – 3 months or until the necessary processes have been completed and the images no longer required
  • Circumstances that may result in litigation – until the matter is closed
  1. You have the right to access personal data about yourself, including CCTV images and footage.
  2. Images and footage will only be provided upon receipt of a Subject Access Request and the provision of suitable ID to confirm the identity of the person requesting this footage. You can request a Subject Access Request Form by writing to the CCTV Supervisor, Nottingham City Transport, Lower Parliament Street, Nottingham, NG1 1GG or by emailing [email protected]
  3. If we cannot comply with the request, the reasons for not being able to do so will be documented and you will be advised of these reasons in writing.

Your Rights and Contact Us

  1. Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. In the UK, the age of consent, i.e when a child is required or able to give their consent for the processing of their own personal data, is 13 years old.
  2. An individual is only entitled to their own personal data, and not to information relating to other people. In some cases, where a third party is acting on behalf of an individual, we may disclose information if we are satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this entitlement.
  3. You may make a formal request for access to personal data that we hold about you at any time. This is known as a Subject Access Request (“SAR”).  We must respond within one month of receipt of your request. Please note that under the GDPR we are permitted to extend the one month time period for responding by an additional two months where in our view your request is complex or numerous in nature.  We may also charge a reasonable fee based on administrative costs where, in our view, your request is manifestly unfounded or excessive or a request for further copies. Alternatively, we may refuse to comply with the request in such circumstances.
  4. You have a right to ensure that the personal data we hold about you is corrected where it is inaccurate; is erased where it is no longer required and is transferred to another person upon your request. We will honour your requests relating to these matters.
  5. Our Marketing Manager is responsible for overseeing the day to day operation of the functions outlined within this policy (except CCTV) and queries relating to it and Subject Access Requests should be directed to [email protected] or to the Marketing Manager, Nottingham City Transport, Lower Parliament Street, Nottingham, NG1 1GG.
  6. You may complain to a supervisory body if you are concerned about the way we have processed your personal data. In the UK this is the ICO –
  7. Subject to clause 19, you can opt out of receiving direct marketing materials from us by contacting [email protected] and asking to be withdrawn from the mailing list.
  8. When you wish to close a website or app account or stop using an Easyrider travel card, notify us by contacting [email protected] or if you have a ‘My Easyrider’ account, using the “Forget Me” link available.
  9. You can choose to remove or disable Cookies through your browser settings at any time.

Changes to This Policy

  1. We may change this policy from time to time and will notify customers when such changes occur through our website, social media channels and directly to customers electronically, where we have permission to do so. If you do not agree with any updated elements of the Customer Privacy Policy, you must let us know straight away and stop using the services.