1. About Rail Staff Travel
RST is part of the Rail Delivery Group and provides rail staff travel facilities for eligible rail industry employees and your dependants. RST is the data controller for all personal data provided via this website, and as such is responsible for ensuring its lawful and appropriate handling.
Rail Staff Travel (RST, RSTL, we, our or us) is a trading name of Rail Staff Travel Limited, a company registered in England and Wales under company number 03069020 whose registered office is at First Floor North, 1 Puddle Dock, London, EC4V 3DS.
2. About this privacy policy
The purpose of this notice is to make you aware of how we process, manage and protect your personal data, enabling you to purchase Priv-rate rail tickets online. You will be notified of any significant changes that are made to this notice, and the most up-to-date version will always be available on this website. For Rail Staff Travel’s (RST) general Privacy Notice, see see https://www.raildeliverygroup.com/rst/rst-privacy.html
3. What data do we collect about you?
This section details the different types of data we collect and process. We only collect the data needed to provide your online account and enable the online purchase of tickets.
Identity Data - Title,first name, surname, Unique User ID
Contact Data - address, postcode, and email address
Financial Data - payment card details, which are tokenised
Transaction Data – journey details, transaction details, purchase history
Technical Data - internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website
Profile Data - username and password, purchase history and favourite journeys.
Usage Data - information about how you use the Website, products, and services.
We use cookies and similar tools across our website to improve your experience and our website’s performance. To find out more about cookies, read our Cookie Policy available at see https://www.raildeliverygroup.com/rst/rst-privacy.html
4. Purposes for which we will use your personal data
We use your data to facilitate the use of your RST online account.
5. Who we share your data with
We use suppliers to facilitate and administer this Website, and to fulfil certain tickets that you may purchase. Our suppliers comply with all necessary regulations, and will only process your data for the agreed purposes detailed below. These suppliers are:
-
Worldline IT Services Limited who host and manage this Website.
-
Fast Rail Ticketing Ltd who operate the postal delivery service. They do not have access to your personal data, as they use an App that consumes our data source, and only print the label and send the tickets by post.
-
Network Merchants Limited (who process payments via this Website).
Only you, the account holder, can view and buy tickets in your online account. However, season tickets approved for any family member can also be viewed and purchased by both the Primary Cardholder and their Spouse/Partner through their own account.
On request, your data may be disclosed to relevant law enforcement bodies, train operating companies or Transport for London for fraud management and to investigate fraudulent activity that involves the use of rail staff travel facilities. Data may also be shared with your employer, where requested, to assist with disciplinary investigations. This will only be shared with RST named contacts within your company. In both instances, the data shared may include journey data where available (e.g. if you have a smartcard or barcode ticket).
Upon valid request, we may also need to share your information with regulatory or Government bodies, the police or other law enforcement bodies. These requests are assessed on a case-by-case basis and your privacy is always taken in to consideration.
We may also pass Aggregated Data on the usage of our site (e.g. we might disclose the median ages of visitors to our site, or the numbers of visitors to our site that come from different geographic areas) to third parties but this will not include information that can be used to identify you personally.
6. Keeping your data safe
We take your privacy seriously and are committed to maintaining the privacy and security of the personal data you provide to us, and the choices you have regarding our collection and use of your personal data.
Once we have received your personal data, we follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised access and all payment transactions made on the website are encrypted.
All processing of your data occurs within the UK or EEA. However, in the event that issues occur with the UK or EEA based servers, or our payments processing system, servers located in the United States will be utilised. All transfers of data to locations outside of the UK or EEA shall be covered by appropriate security measures, backed up by contractual obligations, to ensure that your data continues to be processed in an appropriate, lawful and safe manner.
7. How long do we keep your personal data?
TWe will keep your personal data for no longer than is necessary for the purposes for which it was obtained. For your online account, your account will be deleted two years after you last signed into it.
All booking data is removed automatically 14 months after the booking is completed.
8. What are your rights?
You have several rights in relation to your personal data. You can at any time close your online account yourself, as long as:
-
You do not have bookings with future travel dates
-
You do not have bookings that are still eligible for refunds
If you do, we will advise you of the date that you can close your account.
You additionally have the right to request that we:
-
provide you with a copy of the information we hold about you, known as a Subject Access Request;
-
update any of your personal information if it is inaccurate or out of date;
-
delete the personal data we hold about you - if we are providing services to you and you ask us to delete personal data we hold about you then we may be unable to continue providing those services to you;
-
restrict the way in which we process your personal data;
-
stop processing your data if you have valid objections to such processing;
For more information on your rights, please contact us using the information provided in Section 8, or if you would like to exercise any of your rights, please go to https://privacyportal-eu-cdn.onetrust.com/dsarwebform/9b3b1acc-9f1b-4f29-b26a-0e42305da169/48b24b68-bc8d-4051-a5b4-37eb3278610b.html to submit a request.
We may need to request further information from you to aid us in completing your request, including proof of identity in the case of subject access requests. This is used as an added security measure to ensure that your data is not disclosed in error to any third parties.
9. How to contact us
If you have any questions or concerns about how we handle your personal data, you can contact us using any one (or more) of the following:
Post: Data Protection Partner Rail Staff Travel, PO Box 80612, London, EC4P 4NH
Email: rst@raildeliverygroup.com
If you would like to exercise your rights you can do so by clicking here and filling out our online form.
Please include your name, address and any other relevant information in all communications to help us deal with your request.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your data, you have the right to lodge a complaint with the Information Commissioner’s Office. You can contact them by calling 0303 123 1113. Or go online to www.ico.org.uk/concerns (opens in a new window; please note we are not responsible for the content of external websites). If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
Last updated: 10 August 2023