Privacy policy

Grand Central is committed to protecting your privacy. This privacy policy explains what personal data we collect about you, how and why we use it, and how we protect your privacy. To make it easy to navigate this privacy policy, we have outlined the key sections in the table below.

This notice (together with our Terms and Conditions and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Grand Central or our processing partners. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting  https://www.grandcentralrail.com or https://buy.grandcentralrail.com or providing your information in the circumstances described below, you are accepting and consenting to the practices described in this policy.

1. Who is responsible for your data?
2. What personal data do we collect?
3. Cookies
4. How we use your personal data and the legal basis for such processing?
5. Who do we share your information with?
6. Data Retention
7. Information security
8. Transferring Information Internationally
9. Updates to this Privacy Policy
10. Your Data Protection Rights
11. Questions about this Privacy Policy

1. Who is responsible for your data?

For the purpose of the Data Protection Laws, the data controller is Grand Central Railway Company Ltd (“Grand Central”) and the data processors are Journeycall Ltd ("Journeycall"), Acteol Ltd ("Acteol"), UR Group ("UR Group"), XC Trains Ltd ("CrossCountry") and The Chiltern Railway Company Ltd ("Chiltern Railways").

Individuals are advised that when using the “Website”, those pages with a web address prefixed by https://www.grandcentralrail.com/ these pages are managed by Grand Central as the data controller, (a company registered in England and Wales with registration number 03979826 and registered to 1 Admiral Way, Doxford International Business Park, Sunderland SR3 3XP).

2. What personal data do we collect?

Information provided by you

You may give us information about you by filling in forms, emailing us, contacting our staff in person or otherwise on https://www.grandcentralrail.com or https://buy.grandcentralrail.com.  This includes information you may provide when you:

• Register and consent to receive marketing information
• Register to buy ticket(s) or open a Grand Central account
• Purchase ticket(s)
• Enter a competition, promotion or survey
• Provide answers to a promotion or survey
• Make a complaint
• Claim compensation
• Request a refund
• Book passenger assistance
• Download our app
• Register to use our on-train Wi-Fi service
• Contact us via social media channels
• Report a problem with our sites
• Purchase food and drink from our on-board portal

The information you may give us may include:

• First name and last name
• Date of birth
• Address details including postcode
• Email address
• Phone number – mobile, home or work
• Disability details (passenger assistance)
• Transaction meta data (e.g. journey details)
• Relevant rail discount or loyalty cards
• Limited amount of personal data of any other passengers you are booking tickets for
• Personal descriptions and photographs
• Reason for travel
• Financial and credit card information
• Data regarding your mobile phone or PC (especially when you register to use our on-train Wi-Fi service)

Information you may provide via our website(s)

• Geographical location
• IP or MAC address or details regarding use of your mobile device or PC

Analytics

We may collect and process anonymous information about your use of the Website or Booking Service, such as some of the pages you visit and some of the searches you perform. Such information is used by us to help us improve the contents of the Website or Booking Service and to compile, for internal market research purposes, aggregate statistics about individuals using it. This kind of anonymous information can be obtained by our use of "cookies" as well as other means. Please see Section 3, 'Cookies' for more information on our use of cookies. We may also share anonymous information about your use of the Booking Service with third parties for analytical purposes.

Information we collect about you

With regard to each of your visits to either https://www.grandcentralrail.com/ or https://buy.grandcentralrail.com/ or if you register to use our Wi-Fi services we may automatically collect the following information;

• Technical information, including the Internet protocol (IP) address used to connect your computer to the internet, your login information, time zone setting, browser plug-in types and versions, and platform.
• Device: what type of device you are using (TV, smartphone, laptop, desktop)
• OS (Operating system): what operating system your device has (iOS, Android, Windows, Linux, Mac OS)
• Browser & browser version: which web browser you are using (Internet Explorer/Edge, Opera, Chrome, Firefox, Safari)
• Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number
• Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access (this is used to help track the performance of our website)
• We may also collect information about your computer, including where available your IP address, operating system and browser type for system administration, to improve the structure and content of our site and to report aggregated information to our advertisers and marketing agencies. This is statistical data about your browsing patterns which in turn enables us to track the performance of our site and advertising efforts. It also allows us to serve relevant advertising that is likely to be of interest to you and does not identify any individual. For this reason, we may collect this information even if you do not register with us on our website.

Other information we may collect;

• CCTV footage and video/audio recordings from staff body-worn cameras, which are used for the purpose of safety, security and crime prevention.
   

Information we receive from other sources

We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

We may receive information from other sources if you have provided permission for this to happen or if there is a legal reason for it to occur .

Sensitive personal data 

We will not intentionally or systematically seek to collect, store or otherwise use information about you classed as ‘special categories of data’ or ‘sensitive data’.

If you require any extra assistance to help you make your journey, we offer our Travel Assistance service. This may involve you providing us with sensitive personal data.

3. Cookies

Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our sites. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy.

4. How we use your personal data and the legal basis for such processing?

The collection of the personal data described in Section 2, “What personal data do we collect?” is usually mandatory and, if such personal data is not provided, we will not be able to provide the information, products and services to you. Where the collection of any personal data is not mandatory, we will inform you of this prior to collection, as well as the consequences of failing to provide the relevant personal data.

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will normally process your personal information only:

• Where we have your consent to do so
• Where the processing is necessary to perform our contract with you; or
• Where the processing is in our legitimate interests or those of a third party and such interests are not overridden by your data protection interests or fundamental rights and freedoms; and
• Where we have a legal obligation to process your personal information.

Information provided by you

We use your personal information as follows:

Information provided by you for Safety purposes

Information provided by you as a Customer or Stakeholder

Information provided by you in relation to the provision of Customer Services

Information provided by you to our Human Resources Department

Information provided by you in relation to Subject Access Requests

Information provided by you in relation to you visiting a Grand Central location

Information we collect about you

We use your personal information as follows: Information we collect about you for Safety purposes

Information we collect about you as Customer or Stakeholder

Information we collect about you as a potential employee

Information we receive from other sources

We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under Section 11, “Questions about this Privacy Policy”

Information we receive from other sources for Safety purposes

Information we receive from other sources as a Customer

Information we receive from other sources for the provision of Customer Services

Information we receive from other sources in our Human Resources department

Information we receive from other sources in relation to Subject Access Requests

Never publish dirty HTML code and double check your content before publishing articles on the web!

5. Who do we share your information with?

We may disclose your personal data to the following categories of recipient for the purposes described in this Privacy Policy.

Sharing your information for Safety Purposes

• With Rail Safety and Standard Board, Rail Accident Investigation Branch, Office of Rail and Road, Government appointed enquires, legal representors and other Rail Industry Partners to meet our statutory obligations for the reporting of accidents, incidents, assaults or dangerous occurrences
• With British Transport Police, legal, other Rail Industry Partners, CCTV images required for evidential purposes in legal or disciplinary proceedings
• With Solicitors, Transcare Law, Office of Road and Rail, consumer watchdogs, and other Rail Industry Partners in accordance with Claim Allocation and Handling Agreement (CAHA) for losses property damage or personal injury
• With Emergency Services as required during emergency situations on board our services, to provide you with medical assistance if required

Sharing your information as Passenger/Member of the Public or Stakeholder

Service Providers

• We use third party service providers to carry out many of the activities listed in Section 4, “How we use your personal data and the legal basis for such processing”. This includes our Customer Relationship Management (CRM) provider Acteol as well advertising and behaviour tracking from Google and Microsoft.
• Our service providers act on our instructions, and we ensure that they take measures to keep your personal data safe
• We don’t allow our service providers to use your personal data for any purpose other than carrying out the service in question, and we only provide them with those parts of your personal data that they actually need
• Other UK Rail Operators in order that they can provide support in respect of your Smartcard products, from any given location regardless of the retailer
• Fraudulent payment detection. We use a US based payment provider who is PCI DSS Level 1 accredited who may interrogate your payment data. Your payment data is used only for the transaction and your data is not retained any longer than is required for payment processing, fraud detection/prevention and auditing
• All payments for ticket purchase through Visa and Mastercard are processed by Silverrail
• Apptentive, Inc for the purpose of managing feedback in respect of the Grand Central app
• Chiltern Railways and group bookings/carnet ticket sales
• Whoosh Media and Wi-Fi portal provision
• UR Group and Wi-Fi provision

To ensure the accuracy of our email communications, maintain the health of our email lists, and improve deliverability, we use a third-party email validation service provided by ZeroBounce (Hertza LLC) through our partners UR Group (Ultimate Renaissance Ltd) and Picopoint Solutions (Byelex Solutions B.V)

What data is shared: When you subscribe to our emails or we collect your email address, we may share your email address, name, IP address, and other related metadata with ZeroBounce for the purpose of verification and list hygiene.

Purpose of processing: ZeroBounce processes this data strictly on our behalf to validate that email addresses are active and deliverable, and to identify and remove invalid addresses, spam traps, or other harmful contacts.

Data security and retention: We have a Data Processing Agreement (DPA) in place with our partners, which contractually requires them to protect your data with robust security measures and use it solely for the specified purpose of email validation. They do not store your validation data for more than 30 days, after which it is automatically deleted from their systems, though you may also delete it manually sooner.

For further details on how ZeroBounce handles data privacy and security, please refer to their privacy policy: https://www.zerobounce.net/privacy-policy/.

Other UK Rail Operators

• We share your personal data with some operators for ticket fulfilment purposes
• We may share your email address or phone number with some operators so that they can contact you with service messages, for example if a train is cancelled.
• We may also need to share some of your personal data with any other transport carriers or other service providers who provide you with any part of the services that you’ve booked through us.

The Authorities

• In some circumstances we have a legal obligation to share parts of your personal data with police or customs authorities, regulatory authorities, government & law enforcement agencies. This may include, but is not limited to, fraud prevention and detection.
• We may also disclose your personal data to any competent law enforcement body, regulator, government agency such as Department for Transport (DFT) or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend or legal rights; or (iii) to protect your vital interests or those of any other person;

Sharing your information for the provision of Customer Services

• To carry out assistance for your journey we work closely with Office of Road and Rail, Rail Delivery Group, Rail Industry partners and Taxi companies in order to continually improve the levels of service we offer customers who require such assistance when making a journey
• To allow complaints and appeals to be processed by the appropriate company in accordance with the Railways Passenger Charter
• To provide compensation for delays in line with our Passenger Charter and National Rail Conditions of Travel
• Preventing and reducing the fare evasion and offences of violence against its workforce, which may involve prosecution of perpetrators in accordance with National Conditions of Travel and National Railway Byelaws.

Sharing your information – Human Resources department

• For external suppliers to support us in our pre-appointment assessment for either job vacancies, apprenticeships, placements or our graduate training program 

Sharing your information in relation to Individual Rights Requests

• Information Commissioner Office – for the purposes of reporting, processing and investigating of Data Protection complaints or incidents received from the Information Commissioner’s Office.

Other

• We may also transfer your personal data to a buyer or potential buyer (and its agents and advisers) of Grand Central in connection with any reorganisation, restructuring, merger or sale, or other transferring of assets provided that we inform any receiving party it must use your personal information only for the purposes disclosed in this Privacy Policy.
• We may disclose your data to any other person to whom you request us to make disclosure or if you consent to such disclosure.

6. Data Retention

We will not retain your personal data for longer than is necessary to fulfil the purposes for which we collected that personal information, unless the law permits or requires that we retain it for longer.

The table below explains in more detail how long Grand Central will store different types of customer information for:

Data Retention – Safety Purposes

Data retention relating to the provision of Customer or Stakeholder

Data retention relating to the provision of Customer Services

Data retention – Human Resources department

Data retention – Individual Rights Access

7. Information Security

We apply appropriate administrative, technical and organisational security measures to protect your personal data that is under our control from unauthorised access, collection, use, disclosure, copying, modification or disposal. All information you provide to us is stored on secure servers. Grand Central is part of the Arriva plc Group, which trains its employees regarding our data privacy policies and procedures and permit authorised employees to access personal data on a need to know basis, as required for their role. We also take steps to ensure that any service provider that we engage to process personal data on our behalf takes appropriate technical and organisational measures to safeguard such personal data.

8. Transferring Information Internationally

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.

Specifically, we may use third party service providers located in India, Ireland, Germany, Sweden, Tunisia, the Netherlands and the US. This means that, when we collect your personal information, it may be processed in these countries. However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Policy. These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information to our third party service providers and further details can be provided upon request.

9. Updates to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Policy changes if and where this is required by applicable data protection laws.

You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy.

10. Your Data Protection Rights

You have the following data protection rights:

• If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting Grand Central, via [email protected] or via our preference centre.

• Please note: We retain personal information from deactivated accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, assist with any investigations, enforce our terms and conditions, and take other actions otherwise permitted by law. We may also retain some pseudonymous data for analytics purposes so we can understand, for example, how many visitors we have had to the Website or Booking Service.

• In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us at [email protected] or the postal address below.

• If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. You can update your consent preferences at any time by logging into your account. Please note it can take up to 48 hours for this information to be updated.
  We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

If you wish to withdraw consent from marketing communications, or close your online account with Grand Central, please contact us at any time at [email protected]. Please note that this may take up to 30 days.

1Questions about this Privacy Policy

If you have any question, concerns or complaints about this Privacy Policy or our handling of your personal data, you can contact us by email using [email protected]  or by post to the following address:

GC Data Protection Champion
Grand Central Railway
20 George Hudson St
York
YO1 6WR

If you are unsatisfied with the response, you can contact Arriva PLC's Data Protection Officer at [email protected].

You have the right to complain to a data protection authority about our collection and use of your personal information. If you are based in the European Economic Area, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries are available on the EU Commission's website via the following link): http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm).