Effective: 5th November 2019
At Loco2, we are serious about your privacy and security. We believe in being open and transparent about how we collect and use your information.
Loco2 sells train tickets, not information. We don’t sell your Personal Data to anyone, and when we share Personal Data with third-parties it’s only to improve your experience of using Rail Europe. See section 8 for more information.
- 1. Introduction
- 2. Definitions
- 3. Personal Data We Collect And Receive
- 4. Your Control Over Your Personal Data
- 5. How We Gather Personal Data
- 6. How We Use The Personal Data We Collect
- 7. Data Retention
- 8. How We Share And Use Personal Data With Third Parties
- 9. Where We Store Your Personal Data
- 10. Security
- 11. Age Limitations
- 13. Your Rights
- 14. Information Commissioner’s Office
- 15. Contacting Loco2
This policy applies when Loco2 acts as a data controller; that is when we decide the purposes and means of processing the Personal Data of our users. In this role, we may share your data with third parties to improve your experience of using Loco2. See section 8 for more detail.
In this policy, "we", "us", "our" and “Loco2” refer to the company Loco2 Ltd.
References to “you”, “your” or “user”, refers to private individuals or professionals who use our Service.
“App(s)” and “Application(s)” refer to our mobile applications for iOS (iPhone or iPad) and Android.
“Operators” refers to several rail and road operators. We sell tickets on their behalf to provide our Service.
3. Personal Data We Collect And Receive
We collect and receive information, including “Personal Data”, in various ways when you use our Service and Application(s), and “Other Information” to supply, analyse and improve our Service:
“Personal Data” means any information which, either in isolation or in combination with other information, identifies you as an individual. Examples of Personal Data include your name, date of birth, address, e-mail address, telephone number, and billing information.
“Anonymised Information” means information which cannot be used, either in isolation or in conjunction with other generic data, to identify you as an individual. It includes information such as referring domains.
4. Your Control Over Your Personal Data
We provide you choices that allow you to opt-out or control how we use and share your data.
- If you have a Rail Europe account, you can access privacy controls via the communication preferences settings in your account. By using the privacy controls, you can opt out of direct marketing communications. You can also request the deletion of your account via account settings.
- If you have previously used Loco2 as a guest, it is possible to create an account at any time with the same email address in order to access privacy controls or request the deletion of your account and associated Personal Data.
- If you do not hold a Rail Europe account (or if you do not wish to log in to your account or create a new account), you can unsubscribe from Loco2’s email marketing at any time by clicking the unsubscribe link in any of our emails. You can also contact us to request the removal of other Personal Data we may hold (for example, records of your travel booked through us). See section 13 for more information.
5. How We Gather Personal Data
Personal Data You Provide to Us
We collect information, including Personal Data, which you provide to us directly. This information is actively provided by you in order to access specific features of our Service, or make ticket bookings. For example:
- We collect your email address when you create a booking alert.
- We collect various Personal Data when you use our Service to place an order, including your name, email address, billing address and, in the case of tickets delivered by post, your delivery address. In some cases, when requested by Operators, we collect your date of birth and/or passport number.
- When you create an account or change the details associated with your account, we collect your first and last name, email address, and a password (which is encrypted)
- If you don’t have a Rail Europe account or place an order with an email address that is not associated with an existing account, then any purchases you may make will not appear in your account history. Each purchase made outside your account is considered an independent purchase, and we register it as such each time. The Personal Data you provide when making a purchase without an account will be dealt with in the same way as in all other transactions.
- As part of providing our Service, we collect and securely process financial data via a software integration with a third-party payments service provider. Most of this information (including payment card data) is stored only with the third-party payments service provider and cannot be accessed by Loco2 staff.
- If you contact us, we keep a record of that correspondence which may include your name, email address and details of your order/s, and any other information you share with us via email.
Certain types of Personal Data are sensitive and need more protection. For example, information about your race or ethnic origins, political opinions, sex life or sexual orientation, religious beliefs, health information, biometric data and genetic data. There are also special rules about the use of criminal information (information about criminal convictions or allegations about criminal convictions).
We will not usually collect these types of Personal Data. We will only process these types of Personal Data about you if we have a valid reason for doing so and only if the law allows us to.
Personal Data and Anonymous Information we automatically collect
We collect and receive Personal Data and Anonymised Information when you use our Service in order to improve your experience of using Loco2.
This includes details of your visits to our Site or Apps, IP address, browser type and operating system, referring URLs, location data, device ID, weblogs and other communication data. We use Personal Data and Anonymised Information gathered in this way for anonymised aggregate data analysis about how people use our Service, and in some cases to provide more targeted marketing/advertising.
- We collect and process anonymous information about your use of our Service, for example, the pages you visit and searches you perform.
- We use anonymous data to provide, update, maintain and protect our Services and business for example to prevent errors, security or technical issues, analyse and monitor usage, trends and other activities.
- We receive browsing data that includes an IP address, the address of the web page visited before using Loco2, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.
- We receive device information including the type of device, the operating system being used, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Personal Data and Anonymised Information often depends on the type of device used and its settings.
- We receive Personal Data and Anonymised Information that helps us approximate your location which can inform internal market research and trend analysis, and to tailor marketing (e.g. to show messages in your preferred language). For example, we may use an IP address received from your browser or device, or the country contained in your billing address to determine approximate locations.
- Your device ID, location and your IP address are collected by a third-party service provider as part of the payment process as a fraud prevention measure.
We may also share Anonymised Information about your use of our Service with third-parties sub-processors for analytical purposes. See section 8 for more information.
Personal Data We Receive About You
Operators occasionally share information with us about your Service. For example, confirmation of your travel, your ticket numbers, etc.
6. How We Use The Personal Data We Collect
We use your Personal Data for the following purposes, which are in our legitimate interests of operating our Services :
- To operate our Services: When you book and pay for tickets we use the information you provide on our Site and Apps to supply tickets via commercial agreements we hold with Operators.
- To send emails and other communications. We may send you service, transactional and other administrative emails e.g. booking confirmation, ticket on hold expiration warnings. This may include other types of communications (e.g. text messages to inform you of a delay to a train). We will also contact you to inform you about changes in our Service and important notices, such as security and fraud notices. These communications are considered part of our Service and you may not opt out of them.
- To communicate with you when you contact us. Our customer support team will communicate with you to troubleshoot problems or answer questions you may have about your account, tickets or payment, in order to help you.
- To send marketing emails and other communications. We send emails about new product features, promotional communications or other news about Loco2 to people who are subscribed to our mailing list. These are marketing messages so you can control whether you receive them.
- To offer tailored services. We promote our Service to you via advertising as well as with promotional emails for those who consent to receive them. To ensure our Service is relevant to you, we analyse your habits so we can propose offers which fit your interests.
- To collect payments. When you buy a ticket, we use payment services that are provided by other companies to process your bank or other types of transaction (e.g. PayPal, Apple Pay). This enables us to send you transactional emails, payment receipts and alerts in case of any glitches with your bank.
- To improve our Service. We collect information on how you use our Service through cookies and share this information with third-party analysis tools, like Google Analytics. Please refer to our Cookies policy for more information on our use of this technology.
- For internal statistics or surveys. We may use your data to generate statistics on our users or ask you to participate in our own surveys.
- To combat and prevent fraud.
When we rely on our legitimate interests, we make sure our use of your Personal Data is fair and balanced, and that it does not unfairly affect you or your rights.
There are certain types of Personal Data that we need to perform our contract with you. For example, we need your email address in order to send you your booking confirmation.
From time to time, we also ask for your consent to use your Personal Data (for example, when we ask you if you would like to sign up to receive marketing emails from us). When you have provided your consent, you may always withdraw it by contacting us on the details set out in section 15.
We are also legally obligated to share Personal Data with the authorities, for example, the police, customs authorities and immigration authorities.
7. Data Retention
This section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our obligations in relation to the retention and deletion of Personal Data.
In general, we will retain your Personal Data as follows:
- When you add a ticket to your basket (but do not proceed to purchase), we retain Personal Data that you have entered (name, date of birth, passport number, email address) for a maximum period of 6 weeks from the date it was created.
- When you create an account, we retain any Personal Data that you have entered (your name, email address, saved passengers etc) unless you ask us to delete it, just in case you want to come back and book tickets with us again.
- When you purchase a ticket, we retain any Personal Data that you have entered (name, date of birth, passport number, email address) for at least 6 years, in case there is an issue or legal claim.
- When you create a booking alert, we use your email address to notify you when tickets come on sale only (you are not subscribed to any marketing emails). We may retain your email address to carry out aggregate trend analysis that helps us understand how people use Loco2 and to improve our Service (we will never use your email address for marketing purposes unless you explicitly consent to this).
We may retain certain Personal Data unless you request its deletion. For example, we don’t automatically delete inactive user accounts if they contain an order, so unless you choose to delete your account, we will retain your account information for 10 more years. Your data will only be accessible to a limited number of persons at Loco2 Limited, and for specific reasons (in case of legal claim or to comply with any legal obligations).
8. How We Share And Use Personal Data With Third Parties
We disclose your Personal Data to third parties in the following circumstances:
- If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce or apply our Website Terms and Conditions or Booking Terms and Conditions and other agreements; or to protect the rights, property, or safety of Loco2 Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- To gather feedback about our Service, detect and log bugs or report crashes and issues in our Site and Apps and to carry out trend analysis to improve your experience of using Loco2.
- In the event that we sell or buy any business or assets, in which case we may disclose your Personal Data to the prospective seller or buyer of such business or assets.
- If Loco2 Limited or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its customers will be one of the transferred assets.
We will not disclose your Personal Data to any third party for any marketing purposes unless we obtain your consent. If you do give consent for us to share any details, you can always withdraw your consent. See section 13 for more details.
Our Site and Apps contain links to and from the websites of our Operators, our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites.
We don’t sell your Personal Data to anyone, and when we share information (including Personal Data) with third-parties it’s only to improve your experience of using Loco2 and for the other purposes set out above.
The following examples explain the most common instances in which we use Personal Data:
- For ticket sales and reservations: We collect and share some Personal Data with Operators because they need them to issue your ticket, or send you a ticket directly. For example, in order for us to obtain an e-ticket for Eurostar on your behalf, we must transmit your name, surname, and date of birth to Eurostar. For Thalys, we share your email address so the rail operator can send your ticket to you directly, as Thalys currently requires. Without sharing this Personal Data, it would not be possible for us to provide our Services to you. In any case, we only transmit what is required by the rail operator, nothing more.
- For travel alerts and disruption: We may also share your email address or telephone number with rail operators who provide travel alerts, so they can contact you in limited circumstances. For example, if your Eurostar train is cancelled, Eurostar may notify you by email and suggest alternative travel plans.
With service providers
We use some third-party service providers and partners to support our business and perform tasks that are required to deliver our Service or to improve your Loco2 experience. For example, we use a payment provider to process payments securely and an email service provider to send transactional emails. Other third parties, for example, provide virtual computing and data storage services.
With Corporate Affiliates
Loco2 shares some Personal Data with its corporate affiliates, parents and/or subsidiaries. For example, these include SNCF and Rail Europe. The confidentiality of your Personal Data and your rights in relation to your Personal Data will always be respected.
With the authorities
We are also legally obliged to share some Personal Data with the police or customs authorities, or government or administrative agencies, for example for purposes of fraud prevention.
With social networks
If you choose to create an account on our website using your Facebook or Twitter account, you may be subject to the privacy policies of these companies in addition to this policy. These functionalities are based on cookies, which can collect information about you such as your IP address, or the pages you visit. Loco2 cannot control the actions of Facebook or Twitter.
9. Where We Store Your Personal Data
Loco2 may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards if these other countries are not deemed adequate under applicable data protection law:
European Union Model Clauses
Loco2 adopts European Union Model Clauses to meet the adequacy and security requirements for your Personal Data where it is transferred outside the EEA for example if it processed by suppliers operating outside the EEA who work for us.
E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.
Loco2 ensures that any third-party service providers we appoint are certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield (if operating out of the US). These frameworks were developed to enable companies to comply with data protection requirements when transferring Personal Data from the European Union and Switzerland to the United States. To learn more about the Privacy Shield Program, please see http://www.privacyshield.gov/welcome.
Loco2 takes the security of your Personal Data very seriously. We do our utmost to preserve your Personal Data and prevent it from being stolen, damaged or misrepresented.
All information you provide to us is stored on secure servers. All payment transactions are encrypted using Secure Sockets Layer (SSL) technology, which encrypts information you input.
SSL technology is used to pass data over a secure connection to our payment service provider who processes card payments made through the site on our behalf. Loco2 never sees or stores financial information you supply via payment forms.
If you have created an account and password to access parts of our site, you are responsible for keeping this password confidential. We ask you not to share your Loco2 password with anyone. All passwords you provide to us are encrypted on our servers and cannot be accessed by Loco2 staff. If you lose your password, there is no way for Loco2 to resend it. You can, however, reset it at any time on our site or apps.
We use strict procedures and security features to try to prevent unauthorised access. Unfortunately, the transmission of information via the internet is not completely secure.
In the event of a breach of Personal Data, Loco2 will comply with its obligations to notify the relevant supervisory authority for our processing activities and inform affected individuals without undue delay (if required by applicable data protection law).
11. Age Limitations
To the extent prohibited by applicable law, Loco2 does not allow the use of our Services by anyone younger than 16 years old. If you learn that anyone younger than 16 has unlawfully provided us with Personal Data, please contact us and we will take steps to delete such information.
13. Your Rights
Loco2 relies primarily on its legitimate interests, described above in section 6, to process your Personal Data. When we rely on legitimate interests, you have the right to object to our use of your Personal Data. We can only continue using your Personal Data if we have a compelling reason to do so.
Access, Correction and Restriction
You have the right to request access to the Personal Data we hold, as well as to seek to update and correct it.
You can inspect the Personal Data held in your Rail Europe account by clicking the link.
If you believe that the Personal Data we hold about you is incorrect or that we do not have a valid reason to use your Personal Data, you can request that we restrict our use of your Personal Data.
You can request the deletion of your Personal Data. You can do so within Settings of your Rail Europe account or by contacting us on the details set out in section 13. Your Personal Data will be removed from Loco2 and any third-party apps that we may have shared it with within 30 days of the request, or within 30 days of any future travel dates, unless we have a legitimate reason to retain your Personal Data.
If you didn't sign up for an account when you placed an order, creating an account at any time will enable you to view any bookings that are associated with the same email address and access account settings.
If you cannot use the settings and tools for any reason, contact our customer support team for assistance. You can find their information here: [email protected].
Loco2 may retain some Personal Data after you have deactivated your account where such retention is necessary for compliance with a legal obligation to which we are subject, for example for financial reporting or to conduct audits, comply with (and demonstrate compliance with) legal obligations or resolve disputes, or in order to protect your vital interests or the vital interests of another person.
Withdrawal of Consent
If you consent to us using your Personal Data for marketing purposes we may also send your marketing communications, and you have a right to revoke consent for Loco2’s use of your Personal Data for this purpose. You can unsubscribe from Loco2’s email marketing at any time by clicking the unsubscribe link in any of our emails, or by using the settings and tools provided in your Rail Europe account. You can also contact us on the details set out in section 15.
You can ask us to transfer or port your Personal Data to another party in certain limited circumstances.
14. Information Commissioner’s Office
Subject to applicable law, you also have the right to (i) request the erasure of any Other Information that may constitute Personal Data held by Loco2 and (ii) lodge a complaint with your local data protection authority or the UK’s Data Protection Commissioner, which is Loco2’s lead supervisory authority in the European Union.
If you are a resident of the European Economic Area and believe we fail to maintain your Personal Data within the scope of the General Data Protection Regulation (GDPR), you may direct questions or complaints to our lead supervisory authority:
- Information Commissioner's Office (ICO)
- Wycliffe House
- Water Lane
- Wilmslow, Cheshire SK9 5AF
- Telephone: +44 (0)303 123 1113
- Live chat
15. Contacting Loco2
To communicate with our Data Protection Contact, please email us and mark your email "for the attention of the Data Protection Contact". Our email address is: [email protected]
Our registered office is at:
- Loco2 Limited
- c/o Brachers
- Somerfield House
- London Road
- Kent, ME16 8JH