Customer Privacy Policy

This Customer Privacy Policy is effective from 17th October 2021 and replaces the previous version, dated 5th January 2021.

Introduction
This Privacy Policy applies to all products, services, websites, apps and the Alexa Skill offered by Nottingham City Transport Limited, registered at Lower Parliament Street, Nottingham, NG1 1GG (“we”, “us” or “our”).
These products, services, websites, apps and the Alexa Skill are referred to collectively as “services” in this policy.
In addition to our Privacy Policy, customers should familiarise themselves with the following: NCT Terms and Conditions of Carriage; Easyrider Terms and Conditions of Issue; NCTX Buses App Terms and Conditions; Wi-Fi Terms and Conditions; Alexa Skill Terms of Use.
This Privacy Policy explains how and why we use your personal data in connection with your use of our services. We are committed to respecting your privacy and protecting your personal data and this policy will explain the types of personal data we collect and your rights regarding this data.
The Information We Collect
We collect personal data in order to be able to provide you with our services.
To access some of our services, e.g. Mobile Ticketing in the NCTX Buses App, topping up an Easyrider card or viewing “Favourites”, you must register for an account and we will collect user data you provide to us when you create or update your account, such as:
your name;
contact details including your email address and phone number;
your username and password; and
your date of birth.
We collect activity data about you whenever you interact with our services and will include data that is created during the use of our services and your use of the NCTX Buses App, such as:
transaction information relating to the use of our services, including the types of services provided, journey date and times, amounts charged, distance travelled and payment method;
transaction information relating to the use of our services, including the types of services provided, ride date and times, amounts charged, distance travelled and payment method;
device data, through the use of unique device identifiers - in particular to create a unique ID (for audit purposes and to allow us to associate a device/devices with a particular user) and to identify the operating system of the device through which you use the app (to ensure the effective operation of the app on your device). If you are using a mobile device, we also collect the UUID for that device;
information about the pages you visit on our websites, search queries etc, including originating IP addresses, internet service providers, files viewed, operating system versions, device type and time stamps, choice of language, pages you enter and exit on the website;
payment information – where you make a payment to Nottingham City Transport, we require you to provide your name, address and email address. Financial details, which can include your card number, issue and expiry date, CVC number, account name and number and sort code are not stored by us and are processed by Stripe. You can find their privacy policy here https://stripe.com/gb/privacy; and
communication data - we record all calls made to our Travel Centre (0115 950 60 70) and use a suppression facility when bank card details are passed.
Some services make use of location data sent from a customer’s device. You can turn this functionality off at any time by turning off the Location Settings on your device.
We use third party tracking services that employ cookies to collect data about visitors to our websites and apps. This data includes usage and user statistics. Please refer to our Cookies Policy.
How We Use the Information We Collect
We only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform a contract we are about to enter into or have entered into with you;
Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests; or
Where we need to comply with a legal obligation.
We have set out below a description of the ways in which we plan to use your personal data, and the lawful justification we rely upon when we do so. We may process your personal data for more than one lawful ground depending on the specific circumstances; where this is the case, you can contact us for further information on which legal ground we are relying on when processing your personal information.
Purposes for which we use your data and our lawful basis including basis of our legitimate interest:

To register you as a passenger and user of our app, which is necessary in order to perform a contract we have in place with you;
To process and take payments from you for services provided, which is necessary (1) in order to perform a contract we have in place with you and (2) for our legitimate interests (to recover payments which are due to us);
To send communications to you through this app in relation to journeys and the services provided to passengers and users, which is necessary for our legitimate interests (to provide effective services to passengers and end users);
To identify unsafe or fraudulent behaviour, which is necessary (1) in order comply with legal obligations to which we are subject; and (2) for our legitimate interests (to provide safe and reliable services to our passengers and end users and to ensure the safety of our staff);
To manage our relationship with you, which may include notifying you of changes to our privacy policy or terms of use/service, and asking you to take part in surveys, which is necessary in order to perform a contract we have in place with you;
To provide, maintain and improve our services, including developing new features, which is necessary for our legitimate interests (to better understand our customers and services, to keep our app and services updated and relevant, to develop our business and to inform our marketing strategy);
To perform internal operations and for internal record keeping purposes, including preventing fraud or abuse of our services, troubleshooting software bugs and operational problems, conducting data analysis, testing and research, and monitoring and analysing usage and activity trends, which is necessary (1) to comply with a legal obligation to which we are subject; and (2) for our legitimate interests (to define types of customers for our products and services, to keep our app updated and relevant, to develop our business and to inform our marketing strategy);
To make suggestions and recommendations to you about goods or services that may be of interest to you, which (1) is necessary for our legitimate interests (to develop our products/services and grow our business) where lawful; or (2) may only be required where we have your consent to do so (and where your consent is required); and
To comply with requests for information raised with us by law enforcement authorities and regulatory bodies, which is necessary to comply with legal and regulatory obligations to which we are subject.
Information We Share
We share your data with certain third parties set out below for the purposes set out in the “How we use the information we collect” section above:
Third party aggregators who provide the technology platforms through which we offer our services to you (e.g. Stripe);
Service providers (acting as processors) who provide IT and system administration services in connection with your use of our website and/or the NCTX Buses app, including the Passenger Technology Group; and
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Trusted partners currently used are: Ambidect, Campaign Monitor, Facebook, Google, Global Iris, Icomera, Page One Media, Passenger Technology Group, Stripe, Twitter, We are Base, Amazon.com Inc and its affiliates. You can view their Privacy Policies below:
Facebook

https://www.facebook.com/about/privacy

Twitter

https://twitter.com/en/privacy

Campaign Monitor

https://www.campaignmonitor.com/policies/#privacy-policy

Icomera

http://www.icomera.com/policies/

Stripe

https://stripe.com/gb/privacy

Passenger Technology Group

https://www.discoverpassenger.com/privacy-policy/

Ambidect

https://help.learnwithmobile.com/#/App/LearningContents/Privacy-Policy

Global IRIS

https://www.globalpaymentsinc.com/en-gb/privacy-statement

Page One Media

https://pageonemedia.co.uk/website-privacy-notice/

Google

https://policies.google.com/privacy?hl=en

Amazon Alexa

https://www.amazon.co.uk/gp/help/customer/display.html/?nodeId=GA7E98TJFEJLYSFR

We are a participant in the Robin Hood Travel Scheme and Nottingham Contactless and information relating to travel use is provided to the administrators of these Schemes, Nottingham City Council, in order for customers to be charged the appropriate price and for us to be paid for the appropriate customers carried.
We provide a Staff Travel Scheme with employers, that enables employees to pay for their travel through their salary. Your employer will share with us with your details in order for you to join and leave the scheme.
NCTX Buses App
Nottingham City Transport engages Passenger Technology Group to act as processor for personal data gathered from our apps. Nottingham City Transport is the point of contact for data subjects, as outlined under “Your Rights and Contact Us".
Security
We take our responsibility to protect and secure your information seriously.
All personal data we hold is securely stored within data centres inside the United Kingdom.
In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. Measures we take include placing confidentiality requirements on our staff members and service providers and destroying or permanently anonymising personal information if it is no longer needed for the purposes for which it was collected.
As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect any usernames and passwords necessary to make use of our app, please take appropriate measures to protect this information.
We regularly review operating systems and browsers and implement new security measures as they are released. To ensure we can protect your data, we routinely stop supporting older browsers and operating systems and you should ensure you are using a supported version, details of which are accessible here (supported web browsers) and here (supported mobile devices).
Transfers of Your Personal Data to Locations Outside the United Kingdom
Your data will not be transferred outside of the United Kingdom.
Storing Your Personal Information
We retain data for as long as is reasonably necessary for the purpose for which it was collected, as explained in this notice.
Personal data is removed where possible or anonymised if the record entity is required (for example, for accounting purposes or trends analysis).
Data is securely erased and/or deleted, using approved software or collection services. This follows industry best practices, for example the use of paper shredding and computer file shredding software.
In specific circumstances, we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a proposed of litigation relating to your personal information.
Retention periods for key data we collect and process are outlined below:
Type of Data

Retention Period

Relating to an account on our digital services

Until you notify us you wish to close the account of use the “Forget me” function to delete it

Easyrider Travel Card

2 years unless you notify us you no longer require the card

Customer Query or Complaint Details Submitted

2 years

On Bus CCTV

28 days before it is recorded over

Downloaded CCTV

Personal injuries (adults) – 4 years

Personal injuries (under 16) – until their 21st birthday plus 3 months

Internal investigations and customer complaints – 3 months

Paper receipts for purchases in the Travel Centre

18 months

Online transaction information

5 years from the end of the tax year to which the records relate

Telephone call recordings

12 months

Information submitted through the website or apps feedback channels

2 years

Records relevant for tax purposes

8 years from the end of the tax year to which the records relate

On Bus Wi-Fi

12 months

Photography and Filming
We sometimes take photographs or undertake filming on and off our buses or in our Travel Centre in order to market and promote the Company.
Where photography or filming is taking place, you must express to the photographer at the time you do not want to be included.
Where photography or filming is taking place with pre-arranged models or customers, a photography agreement must be completed, which will outline the purpose of the shoot, the intended use of the images or filming and the period for which they will be used and retained.
Our preferred photography agency uses a secure, online data storage facility to transmit their photographs and films to NCT.
Direct Marketing
We are subject to rules and privacy laws when marketing to our customers. For example, a Data Subject’s prior consent will be required for electronic direct marketing (for example, by email, text or automated calls).
The limited exception for existing customers known as “soft opt in” allows us to send marketing texts or emails if we have obtained contact details in the course of a sale to you (through the NCTX Buses App or purchase of an Easyrider or Uni ID card product), we are marketing similar products or services, and we give you the opportunity to opt out of marketing when first collecting the details and in every subsequent message.
You can opt out of receiving our marketing emails by pressing the Unsubscribe link included on all of our emails, or by contacting [email protected]
Your objection to direct marketing will be promptly honoured and when a customer opts out at any time, their details will be supressed as soon as practicable. Suppression will involve retaining minimal information to ensure that marketing preferences are respected in the future.
On Bus Wi-Fi
Our on-bus Wi-Fi is provided by a third party, Icomera UK Limited, who collect and process personal data on our behalf as a data processor, in order to deliver internet connectivity to customers and other end users.
To be able to provide the Wi-Fi service for you, we need to process your MAC address (device identification), train GPS position, IP address, timestamp and session ID. During the user login process, your device ID (MAC-address) is used to authenticate the device after the Terms and Conditions have been accepted. The Terms and Conditions can be viewed here. The MAC-address is stored with associated timestamps, accounting and duration of the session, in order to offer functions such as throttling, auto-login and session termination.
CCTV
Nottingham City Transport has CCTV installed on the interior and exterior of all buses and within the Travel Centre and will use the images for the following purposes:
Public and employee safety
Road traffic collision and accident investigation
The detection, prevention and investigation of crime
External complaints and internal reports of claims of irregularities
To ensure compliance with company policies and procedures
Performance management
Staff training
Please see our CCTV Policy here

Your Rights and Contact Us
Your legal rights

Under certain circumstances and subject to certain exemptions, you have rights under data protection laws in relation to your personal data. We may ask you for additional information to confirm your identity and for security purposes, before responding to a request you raise. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. In the UK, the age of consent, i.e. when a child is required or able to give their consent for the processing of their own personal data, is 13 years old
You can exercise your rights by contacting us using the details below. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Right to access

You have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of the source of your personal information, the purposes, legal basis and methods of processing and the entities or categories of entities to whom your personal information may be transferred.
Right to rectify or erase personal information

You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it.
You can also request that we erase your personal information in limited circumstances where:
it is no longer needed for the purposes for which it was collected,
you have withdrawn your consent (where our processing was based on your consent),
following a successful right to object (see details of your right to object below),
it has been processed unlawfully, or
to comply with a legal obligation to which we are subject.
We will not be required to comply with your request to erase personal information if the processing of your personal information is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
Right to restrict our processing of your personal data

You can ask us to restrict your personal information, but only where:
its accuracy is contested, to allow us to verify its accuracy,
the processing is unlawful, but you do not want it erased,
it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims, or
you have exercised the right to object, and verification of overriding grounds is pending.
Right to transfer your personal information

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where the processing is based on your consent or on the performance of a contract with you and the processing is carried out by automated means.
Right to object to our processing of your personal data

You can object to any processing of your personal data which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.
If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Contact Us
You can contact us in connection with any and all issues arising from this privacy notice in the following ways:
[email protected]
Data Protection Officer, Nottingham City Transport, Lower Parliament Street, Nottingham, NG1 1GG.
If you have any questions, concerns or complaints regarding our compliance with this notice and the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by data protection laws.
How to Contact Regulatory Authorities
If you feel that we have not addressed your concern in a satisfactory manner, you have the right to report your concern to an appropriate regulatory authority. If you are located in the UK then you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).
Changes to This Policy
We may change this policy from time to time and will notify customers when such changes occur through our website, social media channels and directly to customers electronically, where we have permission to do so.