Skip to content

Customer Privacy Policy

This Customer Privacy Policy is effective from Friday 25th May 2018.

You can download a PDF of this policy here.

Introduction

  1. This Privacy Policy applies to all products, services, websites and apps offered by Nottingham City Transport Limited, registered at Lower Parliament Street, Nottingham, NG1 1GG.
  2. These products, services, websites and apps are referred to collectively as “services” in this policy.
  3. In addition to our Privacy Policy, customers should familiarise themselves with the following: NCT Terms and Conditions of Carriage; Easyrider Terms and Conditions of Issue; NCTX Buses App Terms and Conditions; Wi-Fi Terms and Conditions.
  4. Where abbreviated, “GDPR”, refers to the General Data Protection Regulation.
  5. We will only collect and process your personal data in accordance with Data Protection Legislation and we will adhere to the principles (as applicable) contained within GDPR.
  6. We collect and process your personal data to comply with our legal obligations; to pursue our legitimate interests as a business and where you have given us consent to do so.

The Information We Collect

  1. We collect personal data in order to be able to provide you with our services.
  2. To access some of our services, e.g. Mobile Ticketing in the NCTX Buses App, topping up an Easyrider card or viewing “Favourites”, you must register for an account.
  3. The types of personal data we collect are: name, postal address, email address, date of birth, telephone number, social media handle
  4. We collect usage information about you whenever you interact with our website and apps. This includes the pages you have visited, what you click on, your device settings, how you arrived on our website etc.
  5. We collect information from your device and the application you use to access our services. Device data includes your IP address, operating system version, device type, system and performance information and browser type. If you are using a mobile device, we also collect the UUID for that device.
  6. Some services make use of location data sent from a customer’s device. You can turn this functionality off at any time by turning off the Location Settings on your device.
  7. We use third party tracking services that employ cookies to collect data about visitors to our websites and apps. This data includes usage and user statistics. Please refer to our Cookies Policy below.
  8. Our web servers keep log files that record data each time a device accesses those servers. The log file contains data about the nature of the access, including (but not exclusively): originating IP addresses, internet service providers, files viewed, operating system versions, device type and time stamps, choice of language, page you enter and exit the website.
  9. If you make a payment to Nottingham City Transport, we require you to provide your name, address, email address and financial details. These financial details can include your card number, issue and expiry date, CVC number, account name and number and sort code.
  10. We record all calls made to our Travel Centre (0115 950 60 70) and use a suppression facility when personal data (e.g. bank card details) are passed.

How We Use the Information We Collect

  1. We process personal data about you, with your consent or in order to improve our services and develop new products and features.
  2. Information collected from use of our websites and apps is used to allow us to track the most visited and most useful parts of those services; to identify what are our most popular services; to deliver these services effectively, to troubleshoot problems, fix bugs, monitor abuse, track behaviour (aggregated / anonymously) to understand trends and to develop new features.
  3. Information provided by you for the creation of an account is required so we can provide you with our services, charge you for our services, provide you with customer support and contact you about our services or account.
  4. We use contact information to respond to customer queries, send customers information as part of providing the services and to send marketing information. Customers can opt out of receiving marketing information.
  5. We use a customer’s email address to send them marketing newsletters, unless you opt out of general updates on your account or by clicking “unsubscribe”
  6. We occasionally contact customers about matters that are of a ‘transactional nature’, which includes service-related announcements, payment, changes to policies or services, welcome email, notification of a Direct Debit payment change. You cannot opt out of these communications because they are required to provide our services to you.
  7. Information collected when using our On Bus Wi-Fi is outlined under the section headed “Wi-Fi”.
  8. We collect information using Cookies to ensure full functionality of the services provided; to determine the success of our advertising campaigns and to measure the performance of email messaging to improve email deliverability and open rates. Please refer to our “Cookies” section of this policy.
  9. To manage our services, we will use your information and data internally to enforce Terms and Agreements; to prevent illegal activities; to screen for abuse of services and to improve our products and services (anonymised).
  10. To respond to legal requests or to prevent fraud, we may need to use and disclose information or data we hold about you to the Police or Home Office.
  11. As a result of the data we collect, we profile this information with third party sources, which enables us to make our sales and marketing more relevant to you and to personalise our marketing campaigns and website experiences. You can view their Privacy Policies below:
Facebook https://www.facebook.com/about/privacy
Twitter https://twitter.com/en/privacy
Campaign Monitor https://www.campaignmonitor.com/policies/#privacy-policy
Stripe https://stripe.com/gb/privacy
Passenger Technology Group https://www.discoverpassenger.com/privacy-policy/

Information We Share

  1. In order to provide certain aspects of our services, we use trusted key partners for:
    1. Customer email distribution
    2. Provision of our websites and apps
    3. Facilitating customers making payments through our websites and apps
    4. Delivering and tracking marketing and advertising
    5. Tracking web conversions
  1. We have written Agreements with all of our trusted partners that cover data protection and privacy and they must demonstrate to us that they are GDPR compliant on a routine basis.
  2. Trusted partners currently used are: Ambidect, Campaign Monitor, Facebook, Global Iris, Icomera, Page One Media, Passenger Technology Group, Stripe, Twitter, We are Base. You can view their Privacy Policies below:
Facebook https://www.facebook.com/about/privacy
Twitter https://twitter.com/en/privacy
Campaign Monitor https://www.campaignmonitor.com/policies/#privacy-policy
Icomera http://www.icomera.com/policies/
Stripe https://stripe.com/gb/privacy
Passenger Technology Group https://www.discoverpassenger.com/privacy-policy/
Ambidect https://help.learnwithmobile.com/#/App/LearningContents/Privacy-Policy
Global IRIS https://resourcecentre.globaliris.com/privacypolicy
Page One Media https://pageonemedia.co.uk/website-privacy-notice/
We are Base https://wearebase.com/cookie-policy/
  1. We are a participant in the Robin Hood Travel Scheme and information relating to travel use is provided to the administrators of that Scheme, Nottingham City Council, in order for customers to be charged the appropriate price and for NCT to be paid for the appropriate customers carried.
  2. We provide a Staff Travel Scheme with employers, that enables employees to pay for their travel through their salary. Your employer will share with us with your details in order for you to join and leave the scheme.
  3. Any personal data, not relating to clauses 31 and 32, that is shared with third party organisations will be anonymised.
  4. We also have to share information or data in order to:
    1. Meet applicable laws and regulations
    2. Comply with Police and Home Office requests
    3. Enforce policies and agreements
    4. Detect, prevent and address fraud, security or technical issues

Cookies

  1. Cookies are small bits of data stored on the device you use to access our websites or apps, which are used to recognise repeat users.
  2. We use cookies to collect data about visitors to our websites and apps, which optimises the functionality of these services. We use Cookies for the following main reasons:
    1. Collecting data about how customers interact and use our services
    2. Make our websites and apps easier to use e.g. staying signed in for when you revisit the site
    3. Security reasons e.g. to authenticate your identity
    4. Provide you with customised content e.g. favourite stops, journeys, buses
    5. Improve our services
    6. Advertise to you, either directly or through trusted third parties
  1. The Cookies we use are:
Cookie Name Purpose Type
Visitor Tracking __utma, __utmb, __utmc, __utmt, __utmz, _ga Google Analytics cookies are used to collect information about how visitors use our website. This information is used to help us improve the way the website works. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they have visited. Performance and Analytical
Cookie Test wordpress_test_cookie This is a cookie that is set by the site to make sure that you have chosen to accept cookies. It collects no other data and has no other function. Performance
User Logged in State wordpress_logged_in This is a cookie that is set by the site to record the your logged in state across sessions. It is only set if the user logs in and is removed when they log out. Performance
Geography and Timezones wp-settings-1
wp-settings-time-1
These cookies contain information about your geographic location. They have no impact on your user experience and store no personal information. Performance and Analytical
Hide Latest Disruptions __hide_latest_disruptions This cookie is set when hiding the disruptions alert that appears at the top of pages. It will set the date at the current time and ensure you do not see any further disruptions until there are new ones. It collects no other data and has no other function. It expires after 7 days. Performance
Web Form Security csrftoken This cookie is designed to help protect a site against at particular type of software attack on web forms. Performance
Redirect to current page wordpress_redirect This cookie allows us to return you to the same page you are currently viewing after logging in. Performance
Nctx.co.uk cookies cfduid This is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. For example, if the visitor is in a coffee shop where there are a bunch of infected machines, but the specific visitor’s machine is trusted (e.g. because they’ve completed a challenge within your Challenge Passage period), the cookie allows us to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information. Performance
Nctx.co.uk cookies PHPSESSID Anonymous cookie to help keep track of a user’s session Analytical
New Relic cookies SESSIONID This helps us keep the website stable and monitored. Performance
Facebook Pixel Cookies sb, fr Uses Facebook Pixel to anonymously track Facebook users to allow us to serve relevant and targeted ads. Analytical
  1. You can choose to remove or disable Cookies through your browser settings at any time.

NCTX Buses App

  1. Nottingham City Transport and Passenger Technology Group act as joint Data Controller for personal data gathered from our apps. This means the responsibility for data protection is shared between both parties, though Nottingham City Transport is the point of contact for data subjects, as outlined under “Your Rights and Contact Us”.

Security

  1. We take our responsibility to protect and secure your information seriously.
  2. All personal data is securely stored within data centres inside the European Economic Area.
  3. We provide training to staff on how to recognise a data breach and all data breaches are evaluated within 48 hours. Data breaches are managed under GDPR regulations and logged in a Data Breach Log and reported to the Information Commissioner’s Office where applicable.
  4. You are responsible for maintaining the security of your account, user names, passwords and personal details when using our services on your device.
  5. You are responsible for ensuring that your device is operating to the latest operating versions and with appropriate security measures in place.
  6. We regularly review operating systems and browsers and implement new security measures as they are released. To ensure we can protect your data, we routinely stop supporting older browsers and operating systems and you should ensure you are using a supported version, which for the main browsers are:
    1. IOS – 9 or above
    2. Android – KitKat (4.4) or above
    3. Internet Explorer – V11 or above
    4. Safari – 9 or above
    5. Chrome – 40 or above

Data Retention

  1. We retain data in order to be able to effectively provide our customers with services and for the business to function.
  2. Personal data is removed where possible or anonymised if the record entity is required (for example, for accounting purposes or trends analysis).
  3. Data is securely erased and/or deleted, using approved software or collection services. This follows industry best practices, for example the use of paper shredding and computer file shredding software.
  4. Retention periods for key data we collect and process are outlined below:
Type of Data Retention Period
Relating to an account on our websites or apps

Until you notify us you wish to close the account of use the “Forget me” function to delete it

 

Easyrider Travel Card

Until you notify us you no longer require the card

 

Customer Query or Complaint

2 years, unless required to defend legal cases, where it will be retained as necessary.

 

On Bus CCTV

28 days before it is recorded over

 

Downloaded CCTV

Personal injuries (adults) – 4 years

 

Personal injuries (under 16) – until their 21st birthday plus 3 months

 

Internal investigations and customer complaints – 3 months or until the necessary processes have been completed and the images no longer required

 

Circumstances that may result in litigation – until the matter is closed

 

Paper receipts for purchases in the Travel Centre

18 months

 

 

Online transaction information

 

5 years from the end of the tax year to which the records relate
Telephone call recordings

12 months

 

Information submitted through the website or apps feedback channels

2 years

 

 

Records relevant for tax purposes 8 years from the end of the tax year to which the records relate
On Bus Wi-Fi 12 months

 

EU – US Privacy Shield

  1. We comply with the US-EU Privacy Shield Framework regarding the collection, use and retention of personal data that may be subject to onward transfer to organisations within the US.
  2. In certain circumstances, Passenger Technology Group will process personal data that originates from the EU in the United States. Passenger Technology Group provide a level of protection of privacy that complies with the EU rules. To ensure this, Passenger Technology Group only use vendors certified under the Privacy Shield.

Photography and Filming

  1. We sometimes take photographs or undertake filming on and off our buses or in our Travel Centre in order to market and promote the Company.
  2. Where photography or filming is taking place, you must express to the photographer at the time you do not want to be included.
  3. Where photography or filming is taking place with pre-arranged models or customers, a Photography Agreement must be completed, which will outline the purpose of the shoot, the intended use of the images or filming and the period for which they will be used and retained.
  4. Our preferred photography agency uses a secure, online data storage facility to transmit their photographs and films to NCT.

Direct Marketing

  1. We are subject to rules and privacy laws when marketing to our customers. For example, a Data Subject’s prior consent will be required for electronic direct marketing (for example, by email, text or automated calls).
  2. The limited exception for existing customers known as “soft opt in” allows us to send marketing texts or emails if we have obtained contact details in the course of a sale to you (through the NCTX Buses App or purchase of an Easyrider or Uni ID card product), we are marketing similar products or services, and we give you the opportunity to opt out of marketing when first collecting the details and in every subsequent message.
  3. You can opt out of receiving our marketing emails by pressing the Unsubscribe link included on all of our emails.
  4. Your objection to direct marketing will be promptly honoured and when a customer opts out at any time, their details will be supressed as soon as practicable. Suppression will involve retaining minimal information to ensure that marketing preferences are respected in the future.

On Bus Wi-Fi

  1. Our on-bus Wi-Fi is provided by a third party, Icomera UK Limited, who collect and process the personal data on our behalf as a data processor, in order to deliver internet connectivity to customers and other end users.
  2. To be able to provide the Wi-Fi service for you, we need to process your MAC address (device identification), train GPS position, IP address, timestamp and session ID. This data will be stored in our systems for a maximum period of 12 months and will only be used to maintain the service quality and for support issues, if necessary
  3. During the user login process, your device ID (MAC-address) is used to authenticate the device after the Terms and Conditions have been accepted. The Terms and Conditions can be viewed here. The MAC-address is stored with associated timestamps, accounting and duration of the session, in order to offer functions such as throttling, auto-login and session termination.
  4. Icomera, in their role of Data Processor, will sometimes process additional information on behalf of Nottingham City Transport, but will not associate any MAC-address with additional personal data and will process it in accordance with GDPR regulations.
  5. Under other legislations (e.g. Telecommunication Acts, Surveillance Acts, Terror Acts) Icomera may be required to store information for a longer period than necessary for the delivery of the service, and perform additional processing activities if requested by law enforcements through legal due process. 

CCTV

  1. Nottingham City Transport has CCTV installed on the interior and exterior of all buses and within the Travel Centre and will use the images for the following purposes:
  • Public and employee safety
  • Road traffic collision and accident investigation
  • The detection, prevention and investigation of crime
  • External complaints and internal reports of claims of irregularities
  • To ensure compliance with company policies and procedures
  • Performance management
  • Staff training
  1. A notification sign is placed in the vicinity of the cameras so that customers are aware that they are entering an area covered by CCTV.
  2. CCTV footage is viewed only in relation to the purposes outlined in clause 65 and by Directors and Managers of Nottingham City Transport and employees who work in our Insurance, Customer Services and Schools Liaison Teams.
  3. CCTV footage is retained for:
  • Personal injuries (adults) – 4 years
  • Personal injuries (under 16) – until their 21st birthday plus 3 months
  • Internal investigations and customer complaints – 3 months or until the necessary processes have been completed and the images no longer required
  • Circumstances that may result in litigation – until the matter is closed
  1. You have the right to access personal data about yourself, including CCTV images and footage.
  2. Images and footage will only be provided upon receipt of a Subject Access Request and the provision of suitable ID to confirm the identity of the person requesting this footage. You can request a Subject Access Request Form by writing to the CCTV Supervisor, Nottingham City Transport, Lower Parliament Street, Nottingham, NG1 1GG or by emailing [email protected]
  3. If we cannot comply with the request, the reasons for not being able to do so will be documented and you will be advised of these reasons in writing.

Your Rights and Contact Us

  1. You may make a formal request for access to personal data that we hold about you at any time. This is known as a Subject Access Request (“SAR”).  We must respond within one month of receipt of your request. Please note that under the GDPR we are permitted to extend the one month time period for responding by an additional two months where in our view your request is complex or numerous in nature.  We may also charge a reasonable fee based on administrative costs where, in our view, your request is manifestly unfounded or excessive or a request for further copies. Alternatively, we may refuse to comply with the request in such circumstances.
  2. You have a right to ensure that the personal data we hold about you is corrected where it is inaccurate; is erased where it is no longer required and is transferred to another person upon your request. We will honour your requests relating to these matters.
  3. Our Marketing Manager is responsible for overseeing the day to day operation of the functions outlined within this policy (except CCTV) and queries relating to it and Subject Access Requests should be directed to [email protected] or to the Marketing Manager, Nottingham City Transport, Lower Parliament Street, Nottingham, NG1 1GG.
  4. You may complain to a supervisory body if you are concerned about the way we have processed your personal data. In the UK this is the ICO – ico.org.uk
  5. Subject to clause 19, you can opt out of receiving direct marketing materials from us by contacting [email protected] and asking to be withdrawn from the mailing list.
  6. When you wish to close a website or app account or stop using an Easyrider travel card, notify us by contacting [email protected] or if you have a ‘My Easyrider’ account, using the “Forget Me” link available.
  7. You can choose to remove or disable Cookies through your browser settings at any time.

Changes to This Policy

  1. We may change this policy from time to time and will notify customers when such changes occur through our website, social media channels and directly to customers electronically, where we have permission to do so. If you do not agree with any updated elements of the Customer Privacy Policy, you must let us know straight away and stop using the services.
Live Bus Times