Privacy Policy

Welcome to Trainline’s Privacy Policy. When you use our services, you're trusting us with your information. This Privacy Policy will inform you as to how we look after your personal data when you use our services. We understand this is a big responsibility and we work hard to protect your personal data.

Effective: April 29th 2021 / Version 1.10

Who are we and what do we do?

We’re Trainline. We’re made up of a core group of companies working together to help you get where you need to be: 

  • Trainline.com Limited
  • Trainline SAS 

Like you, your data goes on a journey. How we collect and use your data depends on where you travel and which train or coach company you travel with. 

Your personal data and our promises to you

Your personal data is very important to us. Whenever you use our website or app, we’re committed to these four privacy promises: 

  • We’ll be crystal clear about the personal data we use, how we use it and – most importantly – why we need it.
  • We’ll give you choices when it comes to your data.
  • We’ll keep your personal data secure, using the best possible technology, people and processes.
  • We’ve cut the jargon, to help you make informed choices about your personal data.

Personal data you give us

You may need to give us your personal data to use our services and book tickets – more on that below. 

Personal data is anything that helps identify. It’s things like: 

  • name 
  • email or billing address 
  • age 
  • payment card details 
  • phone number  
  • details of any relevant railcards, discount or loyalty cards you might use

Personal data you give us about others

You may be doing a trip with other guests whose details we may also need in order for them to travel.

By entering someone else’s personal data, you confirm you’ve either got their permission to give it, or permission from their parent or guardian (if the passenger is under 16).

How we use your information

We use your information in a number of different ways — what we do depends on the information. This has been explained below in detail, showing what we do and why.

  • Necessary to pay for ticket, provide refunds and compensation for journey delays, where eligible.
  • Some of the travel operators we work with may run your data through their own payment and eticket systems, to issue your tickets.

Legal basis for processing: Processing is necessary for the performance of a contract.

  • To prevent and detect fraud against either you or Trainline.

Legal basis for processing: Processing is necessary for the purposes of Trainline's legitimate interest.

We may collect personal data (including your name, email address, phone number and journey details) to help you travel.

  • To make sure you get your tickets.
  • To contact you with essential info – booking confirmations, disruption messaging, refund info, compensation info for journey delays and service message.
  • Keeping your account up to date (only if you choose to set one up).
  • The operator needs this info to create your tickets and may need to contact you if there is service disruption.

Legal basis for processing: Processing is necessary for the performance of a contract.

Your personal data may be used in the following ways:

When you contact us:

Feedback: If you choose to give us feedback through our website or app, we’ll use your comments, combined with others, at an aggregate level, to identify any fixes needed and to improve our products and services.

Communicating with you: When you email us or use our chat option, we use this info to help us with things like arranging refunds or choosing the right ticket.

Customer Service: If you call us, we will process your data so that our Customer Service and Operations teams can fix any issues you’ve raised, as well as for training and quality purposes.

Legal basis for processing: Trainline relies on your consent when you contact us in order to provide services you have requested from us; and our legitimate interests when we use data at an aggregate level to improve our services.

To send you relevant marketing info:

Marketing preferences: We may send you marketing if you’ve told us you want to receive it, when you register an account with us. We may also send you marketing where you have transacted with us, where we have a legitimate interest to do so.

Marketing activities: We may send things like marketing emails, webpush, inbox messages and push notifications in order to let you know about our great discounts, sales, offers and more from Trainline. This may include competitions and promotions like our Refer-a-Friend programme.

Legal basis for processing: Processing is conducted based on legitimate interests, or consent (where you have opted-in to marketing).

We want to send you marketing messages to give you the best travel deals and info, and we’ll only send you messages that we think will be relevant to you. You can choose not to hear from us at any time by clicking “unsubscribe” in any marketing email sent or by using the contact details we have provided below.

  • Travel operators have different ticket costs, based on your age. We use this info to make sure you buy the right ticket.
  • Some travel operators offer discounted Youth/Senior tickets. If so, they may need your date of birth to confirm you’re entitled to those discounts.

Legal basis for processing: Processing is necessary for the performance of a contract

We may collect personal data (including your name, age, email address, photograph, and railcard details) when you purchase or use Railcards at Trainline.

  • We collect this info for the purpose of retailing you Railcards and checking your eligibility for purchase of certain Railcards.
  • We will also collect this info to offer you a discount on your tickets (where applicable) or add points to any loyalty scheme you are signed up to.  
  • We share this data with relevant travel operators and loyalty card scheme providers.
  • We will also share data (name and email address) with ATOC Ltd who acts as an independent Data Controller for the purposes of selling Railcards. Customers enter into a separate contract with ATOC Ltd when purchasing a Railcard. For more info please see ATOC’s Privacy Policy.
  • ATOC Ltd who acts as an independent Data Controller will use this data (name and email address) for the purposes of fraud prevention and verification. For more info, including further uses for this data, please visit ATOC’s Privacy Policy.

Legal basis for processing: Processing is necessary for the performance of a contract.

We may collect personal data (including your name, email address, journey and ticket info, method of payment, photocard number and discount info) when you purchase a Seasons ticket at Trainline.  

  • We will share this data with relevant UK rail travel operators via ATOC Limited (ATOC) and Rail Settlement Plan (RSP), who act on behalf of the UK rail travel operators and who are independent data controllers.
  • We will collect and share this info for the purposes of: confirming your identity; administering the ticket and resolving season ticket issues; fraud prevention; and providing relevant info about your journey. 
  • We will also collect and share this info for the purpose of enforcing the terms of your season ticket contract between you and the relevant UK rail travel operator.

Legal basis for processing: Processing is necessary for the performance of a contract with Trainline and in the Legitimate Interests of the relevant UK rail travel operators.

  • In the event Trainline stops selling Season tickets, personal data (as listed above) relating to customers whose season tickets have not yet expired, may need to be passed to the relevant UK rail travel operators (via ATOC and RSP). 
  • The relevant UK rail travel operators may use this info to provide  after care services, like issuing refunds, duplicates and replacements.

Legal basis for processing: Legitimate Interests of Trainline and the relevant UK rail travel operators.

We may collect personal data (including name, age, region, email address, video and audio recordings) for market research and/or surveys.

Improving our services: We may invite you to participate in market research, such as surveys, interviews, or other activities (to improve our booking service for you). We may use third parties to carry out that research, these third parties may require you to sign up to their terms in order to participate in such market research. We may also use carefully selected third party analytics tools to help analyse research responses.

Legal basis for processing: Consent (participants provide consent to data processing when signing up as a participant). Additional processing may also be necessary for the performance of a contract (performance of the relevant participation agreement).

If you would rather, we did not contact you with market research requests, please contact us via the details below.

We want your input in our market research so that we can keep improving our products and services. We use the absolute minimum amount of your personal data to carry out this research.

Personal data we collect automatically

Whenever you use our website or app, we automatically collect certain information using cookies and device info.

We use your location data, device number and IP address to make your travels easier, by showing you things like your nearest station and when the next train home is.

We also use this data to deliver you content as fast as we can by connecting you to the closest server to you. (For example, Load Balancing and Content Distribution Network)

This data also helps with security and protection from fraudsters.

Legal basis for processing: Processing is conducted based on legitimate interest.

Web browsers on all devices, and apps on phones and tablets, can accurately pinpoint your location using GPS and assisted GPS.

Your location can be determined with varying degrees of accuracy by:

  • GPS
  • IP address

Whilst some location data is collected automatically for the purposes we set out above, you’ll be asked when you use a GPS-enabled web browser or device whether you want to share this info with us. You can change this in your device or browser settings any time you like.

By logging into your social media accounts like Facebook and Google, you drop cookies. These cookies can collect info about your IP address and the pages you visit.

  • IP address
  • Other potentially identifying data

Legal basis for processing: Processing is conducted based on consent

You choose if you want to register with us either using Google, Facebook or Apple.

Note, we don’t control Facebook, Google or Apple's actions. If you choose to use your Google, Facebook or Apple account to log in with us, you’ll be subject to Google, Facebook and Apple's privacy policies too. 

Third parties

We share your personal data with the following types of third parties.

These providers help us carry out many of the above activities. We only give them the parts of your personal data that they need. And we make it clear to them that they must keep your personal data safe and only use it for those specific services.

Sometimes we must share parts of your personal data with authorities such as the police. Generally, it’s to help them prevent fraud and crime. When we do give this data to the authorities, it’s over to them to protect your info. We only share what is legally necessary.

We work with travel operators who also need your data to create your tickets and provide services in relation to your journey as well as to deal with after-sales matters. Some travel operators may run your data through their own payment and eticket systems in order to issue your tickets or notify you of any travel disruption. We may also share your personal data with travel operators to prevent and detect fraud against either you, Trainline or the travel operator. We only share what is necessary to meet this purpose, and we make it clear to them they must keep your personal data safe.

If another company takes over or merges with a Trainline company, or if there's a restructure of the Trainline group, we'd need to transfer your personal data. It goes without saying that we’ll treat your personal data with the utmost care and respect. We'll still use your personal data in the same way as we’ve outlined in our Privacy Policy.

We may share your personal information with your employer or your employer's travel agency if you purchase a ticket as part of Trainline for Business.

Keeping your data

While you’re using our services, your personal data will be safe with us, but we’ll never keep it for longer than we need to.

As soon as we don’t need your personal data to offer our full services to you, we’ll make sure it’s either deleted or anonymised.

 

Cookies

Our website and app are so easy to use, thanks to Cookies. Cookies are tiny crumbs of personal data that we automatically collect when you use our website or app.

Let’s say you visited our website and changed your settings to pay in euros instead of pounds. Cookies help us remember your currency preference - so we can show you prices in euros next time. Pretty neat, right? 

Our Cookies Policy gives a full breakdown of how we use Cookies, and how you can edit your preferences. 

 

Personalising your experience

Just like a friendly barista who knows your daily coffee order, we want to offer you a personal service. The barista recognises you when they see your face, but we rely on cookies to know it's you.

We combine cookie data with booking and search history to tailor your experience.

See our Cookies Policy for more info. 

 

International data transfers

We transfer your personal data to other Trainline companies in our core group and service providers outside the European Economic Area (EEA). We only work with service providers that prove to us that they have the same high standards around protection of your data as we do.

Your data is always securely processed. Where we transfer your personal data outside the EEA, we have rules and steps put in place to make sure your personal data is kept safe and protected. Usually this means we’ll have standard contractual clauses approved by the European Commission in our contracts with parties outside the EEA, or we will rely on European Commission adequacy decisions. 

 

Security

We’ve put in place stringent and accredited security measures to prevent your personal data from being accidentally or maliciously accessed, used, altered or deleted without explicit authorisation. In addition, we strictly limit access to your data to just those employees, contractors and trusted third parties who have a business need to access it, and they are all subject to binding contractual confidentiality obligations. For further information on our security practices, please see our dedicated security page. 

 

Guest check out

If you’re in a rush, you can book tickets without signing in or creating an account. Your confirmation email gives you the option to create an account or link your booking to an existing account. We'd recommend doing this, it'll be easier to manage your booking.  

We'll update your account with any changes you make to your marketing preferences.

Your rights

You have personal data rights. These are:

Data portability

This applies to information you give us. You can ask us to transfer this information to another data controller in an easy-to-read manner.

Find out more

Rectification

You can ask us to correct inaccurate or incomplete information.

Find out more

Restrict processing

You can ask us to restrict processing of your information in some circumstances. 

Find out more    

Access

You can ask us for copies of your data. This right always applies but there are some exceptions. 

Find out more

Erasure

You can ask us to erase your data in some circumstances.

Find out more

Object to processing

You can object to how we process your data.

Find out more

Getting in touch

You can contact us using any of the following methods.

Email: DPO@thetrainline.com

Post: Data Protection Officer, PO Box 23972, Edinburgh, EH3 5DA. 

We would always appreciate the opportunity to answer any questions or resolve any complaints directly via the contact points above.  If you are not satisfied with our response, you have the right to complain to the relevant supervisory authority for data protection matters. 

Contacting the relevant supervisory authority

You can make a complaint about how your personal data is used to the relevant supervisory authority.   If you are a UK customer, you can find out more at this link.  If you are based within the EU, you can find out more here.