Privacy Policy | Caledonian Sleeper |

Privacy Policy

Caledonian Sleeper Limited

Privacy Policy – June 2023

1. Introduction

This Privacy Policy (“Policy”) is issued by Caledonian Sleeper Limited for its operation of the Caledonian Sleeper Franchise, the overnight sleeper passenger rail service that operates between London and Scotland (“Caledonian Sleeper Service”).  We have developed this Policy to ensure you (as a user of our website and/or train services) are informed and confident about the security and privacy of your personal information. This Policy supplements our Terms and Conditions, and Guest Charter, available on our website at www.sleeper.scot. Caledonian Sleeper Limited is committed to protecting your privacy. Below we explain how we use your information and how we protect your privacy.

Please read this Policy carefully as it contains important information on who we are, how and why we process the personal information that you provide to us, whether through our website, by post, by phone, in person or when you otherwise communicate with us. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint. If you have any questions or comments about this Policy, you can contact us by using the details set out below in section 13 (Data Protection Office) of this Policy.

2. Who we are

Caledonian Sleeper Limited (“CSL”, “we”, “us”) are a company incorporated in Scotland and having its registered offices at Basement and Ground Floor Premise, 1-5 Union Street, Inverness, IV1 1PP.

For the purpose of the Data Protection Laws; any other applicable laws relating to the protection of personal data and the privacy of individuals (all as amended, updated or replaced from time to time); and this Policy, we are one of the data controllers (independent of Transport Scotland) of your personal data for the purpose of providing the Caledonian Sleeper service. This means that when we process your personal data, we are responsible for looking after and protecting your data. We are registered as a data controller with the UK’s Information Commissioner’s Office and our registration number is [to update following registration].

Please note, our communication and/or website may provide links, promote or signpost to other independent third-party websites, plug-ins or applications and links to third party sites relating to Passenger Assistance, the National Rail Conditions of Travel, Rail Ombudsman, and social media sites). Those third parties are not always under our control. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We are not responsible for the conduct of third-party companies linked to the programme or the website or the contents of their privacy notices. You should refer to the privacy notices of those third parties as to how and why they may handle your personal information. When you leave our website or before you enable any connection, we encourage you to read the privacy notice of every website, plug-ins or applications you visit or wish to use.

3. Information we may collect from you

The personal data you provide to us or that are collected by us (or on our behalf) is used for service and operational purposes, for example making travel reservations, processing payments, arranging travel assistance at your departure and destination stations, protecting yourself and others. The types of personal data we collect, store and use could include:

Your and other Travellers’ Personal Details: including title, name, age band, sex or gender, billing address including country, telephone numbers, email address, language/dialect spoken, health and medical information, travel itinerary and requirements, travel assistance requirements and personal data of any individual travelling with you or you are booking on behalf of, (including children and/or dependants).
Identifiers: such as your booking reference and reservation numbers, “Flexipass” documents, signatures, social media identifiers, railcard details, photographs, voice/video recordings, registered weapon details, any personal data collected through cookies, discount, promotional and voucher codes, prize letter details.
Financial Details: such as your purchase transaction history, card payment details. We comply with the Payment Card Industry Data Security Standards (PCI DSS), and we have in place robust controls surrounding the storage, transmission and processing of cardholder data that we handle.
Communication details: such as call logs and recordings made to and from the Guest Service Centre telephone system, (calls received by the Guest Service Centre via the Caledonian Sleeper digital information points available at some train stations are not recorded), our promotions sent to you (with your consent), your pre-trip email with information about travelling with us, pre and post-trip surveys, complaints, feedbacks, general correspondence exchanges with us or referred to us, including messages via our live/web chat platform.
Preferences: such as your consents, permissions, or preferences that you have specified including your interests and hobbies.
Incident Reports: such as health and safety accidents, security or other incidents.
Website Access Details: which includes your computer’s unique identifier (“IP Address”), your login information, and the dates and times you have accessed our website, alerts preferences, data collected through your access to, and use of, our website and live/web chat.

You do not have to provide your personal information to us. However, if you do not provide your personal information which we ask for, we will not be able to permit or arrange your purchase or use of our products and services; process a travel reservation for you; or provide our services to you; or respond to enquires that you may have.

Children’s data

If you are under 16, please do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent’s or guardian’s permission. In the event we learn that we have collected personal information from anyone under the age of 16, and do not have a parent or guardian’s consent, we will delete that information as quickly as possible. In the event that we do hold personal data about children, we will handle that data in accordance with the terms of this Policy.

Our services may be booked directly and used by individuals aged 16 years or over. However, (with exception of our CCTV cameras), we do not directly or knowingly collect or solicit personal information from anyone under the age of 16 or knowingly allow such persons to provide us with their personal information without parent or guardian consent. Parent, school and tours (or equivalent) may book to travel with us and may provide limited information about the children travelling with their group.

4. How we collect the personal data

The circumstances in which we will collect personal data about you include when:

  • the personal data is provided to us by you (e.g. when you agree to sign up to join our mailing list or enter a competition or contact us via live/web chat);
  • the personal data is collected in the normal course of our relationship with you (e.g. when you are booking to travel with us via telephone, on the website or using our mobile application);
  • the personal data has been made public by you (e.g. contacting us via a social media platform) or obtained from a publicly accessible source (e.g. Companies House);
  • the personal data is received by us from third parties (e.g. third-party booking websites, from your employer, tour group operators, external travel agents, credit reference agencies, advertising networks, government agency (such as Transport Scotland));
  • the personal data is collected via our IT systems, such as:
    • automated monitoring of our website, on-board Wi-Fi services and other technical systems including our computer networks and connections;
    • CCTVs that operate on our trains and in our Guest Lounges;
    • email and instant messaging systems;
    • cookies (please refer to the section below for further information); and
    • the call recording system for calls received into our Guest Service Centre.

The personal data is created by us, such as records of your communications with us.

5. How and why we will use your personal information

We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do so. The purposes for which we may use your personal data and the legal basis on which we may perform such processing are set out below.

Where necessary for the performance of a contract with you, or to take steps linked to a contract

To provide the services or information that you have requested from us such as information updates by phone, email or SMS message about your booked travel, resolving any matters connected with your reservation, or your engagement and enquiries made to our Guest Services Centre.
To exercise our legal rights with respect to our contract with you.

Where you give us consent

To process your information. For example, when you give us your consent to receive promotional, marketing materials, partake in market research, discounts offers or if you have opted to join loyalty or reward schemes, or to participate in competitions. You have the right to withdraw consent at any time. This will not affect our lawfulness of processing your information if that is based on your consent given prior to its withdrawal. If you wish to withdrawn consent, contact us using the details in section 13, below.

For purposes which are required by law

In response to requests from government law enforcement authorities conducting an investigation.
Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business e.g. such as health and safety obligations and requirements to ensure the safety and wellbeing of our workers and our Guests (and any third parties). This includes, where processing of personal data is necessary for the purpose of safeguarding against the impact of a health-related issue (for example, coronavirus or other epidemic, pandemic, disease or outbreak), or in respect of any measures we are required to take from time to time during a national or international emergency.

Where necessary for CSL’s or third parties’ legitimate interests and where the interests are not overridden by your data protection rights, such as:

To manage, facilitate and/or improve the provision of our services to you, including but not limited to administering our website; managing enquiries, complaints and feedback; investigating, preventing and detecting fraud against you, our other Guests or Caledonian Sleeper Limited or other UK Train Operating Companies.
To manage third party products and services sold through our website or apps, including the opportunity to upgrade your travel options, in conjunction with our third-party partners,

For health and safety purposes; or security purposes, such as preventing unauthorised access and modifications to systems and protecting our workers, Guests, premises and trains with the use of CCTV, call recording and barred travel lists.
For business development, management and analysis or quality assurance purposes such as improving efficiency, training and quality control of our products and services including by reviewing call recordings for training or quality purposes.
For accounting and auditing purposes.
For market research, marketing or promotional purposes, for instance, promotion of our services via by email, telephone, social media, post or in person or otherwise that might be of interest to you, this could include engaging with you (e.g. interviewing you at our stations or being contacted) to obtain your views on our products and services.
To support business and administrative functions of the business and/or ensure business policies are adhered to.
To meet our contractual obligations under our Franchise agreement with the Transport Scotland (e.g. reporting on the delivery of services commissioned by, or feedbacks/complaints etc. to, the Transport Scotland).
To prevent, investigate, detect and/or report fraud, misrepresentation, security incidents, crime and other related matters.
In connection with a business transaction such as merger, restructuring or sale of the business.
For legal claims, compliance, regulatory and investigative purposes as may be necessary (including disclosure of such information in connection with legal process or litigation or meeting Public Health requirement).
to assist in ensuring compliance with regulatory procedures and to provide evidence for any regulatory investigation.
to help protect Guest Service Centre staff from abusive or nuisance calls.
to assist in identifying any training requirements or coaching needs for Guest Service Centre staff.
to assist in internal Caledonian Sleeper disciplinary action.

In some cases, your personal information may be aggregated and anonymised, which could include statistical or demographic data (for example to calculate the percentage of users accessing a specific Website feature), where relevant to the service usage, performance, and delivery. This may be extracted and used by us, or our ‘third party’ providers to help us understand, improve and manage our business such as analysing travel usage, interaction with our facilities, systems or services we provide and identifying areas of improvement.

Where special category personal information is involved, such as your health and medical information, we will handle that information in accordance with applicable laws, including where:

  • we have your explicit consent, including where you voluntarily provide us with that information;
  • the law permits us to do so to comply with our legal obligations or to exercise specific legal rights;
  • you have clearly made the sensitive personal information public;
  • processing is necessary for the establishment, exercise or defense of legal claims; or
  • processing is necessary for reasons of substantial public interest such as for statutory and government purposes.

6. Cookies

We use cookies on our site. Cookies are small text files that are downloaded onto your device when you visit a website. Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website. For detailed information on the cookies we use and the purposes for which we use them, please see our Cookie policy.

7. Direct Marketing

Where you have consented to such communication or where we have a legitimate interest for promotional purposes (see section 5 above), we will use your personal information to send you updates (e.g. by email, text message, telephone, social media platform or post – depending on the preference you have expressed at the time of giving your consent) about our services including e-newsletters, exclusive offers, events, competitions, promotions or products that we believe will be of interest to you.

You can subscribe to our marketing list by selecting the option to receive marketing communications when booking on our website or via this page: https://www.sleeper.scot/subscribe/. You may also choose to receive promotional information from us when entering our or third party competitions and explicitly consenting to being contacted by us.

We will always treat your personal information with the utmost respect and never sell your information or share with other organisations without your prior permission for marketing purposes. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you.

You have the right to opt out of receiving marketing communications by (where you have consented):

  • using the unsubscribe option included on all our marketing correspondence;
  • writing to us at Marketing Department, Caledonian Sleeper Limited, 1 Union Street, Inverness, IV1 1PP; or
  • sending us an email to communication@caledoniansleeper.scot. Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, email and telephone number to ensure your details are fully deleted from our direct marketing system.

If you choose not to receive updates about our services, we will be unable to keep you informed of any new products, exclusive offers, events or promotions that may interest you.

8. CCTV

We currently have closed circuit television (CCTV) operating in our premises, and on our trains, for (including but not limited to): (i) the health and safety of our Guest, employees and members of the public; (ii) security; and (iii) crime prevention and detection. For these reasons, the information processed may include visual images of personal appearance and behaviours of workers, passengers and general members of the public who were in the immediate vicinity of the area under surveillance.

We display signs to inform visitors and workers that they are under surveillance and there may be video recording in operation. This information is kept in secure environments and access is restricted to Caledonian Sleeper’s designated workers.

There may be CCTV operating at other lounges, at the train stations we use and at other sites where we might operate, however we are not the data controllers for those systems and you will need to contact those operators for details about their CCTV privacy policies.

9. Sharing Your Personal Information with Others

We will only disclose personal information to a third party in very limited circumstances, or where we are permitted or required to do so by law. The third parties to whom we provide your personal data include:

  • other organisations within the Scottish Rail Holdings ltd group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
  • Transport Scotland, acting on behalf of the Scottish Ministers, including for the purposes of contract management review which may include sharing statistical information, summaries of events and details about correspondence received (where necessary).
  • third parties we use to help deliver our products and services to you, such as banks and payment providers;
  • other third parties we use to help us run our business, such as marketing agencies, IT support service providers (including providers of our booking and webchat system), our train cleaning and presentation partners, Network Rail and other train operating companies, our rail replacement providers, analysis experts, communication platform providers;
  • managing third party products and services sold through our website or apps, including the opportunity to upgrade your travel options, in conjunction with our third-party partners;
  • third parties approved by you, such as when you request your details to be transferred;
  • our professional advisers e.g. law firms, auditors, insurers and brokers;
  • the Rail Ombudsman;
  • Government, regulatory and law enforcement bodies (e.g. Police, organisations under Public Health Scotland or other public authorities/bodies) where we are required in order:
    • to comply with our legal obligations (e.g. health and safety laws);
    • to exercise our legal rights (e.g. pursue or defend a claim); and
    • for the prevention, detection and investigation of crime; and/or
    • Rail Delivery Group for the purposes of prevention and detection of fraud and other crimes.

We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is a change of operator for the Caledonian Sleeper franchise or in the event that there is a hand back of the Caledonian Sleeper franchise to the Scottish Ministers. In such cases, we will take the appropriate steps to make sure that such transfer is in accordance with the applicable data protection law(s).

Less commonly, we may process and share your personal data where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.

We also impose data protection obligations on contracted third parties to ensure they can only use your data when providing services to us for the purposes listed above.  These third parties cannot pass your details on to any other parties unless instructed to by us, unless they are required to do so by law.

Transferring Your Personal Information Globally

The personal information that we collect from you may be transferred to, and stored at, a destination outside the UK or European Economic Area (“EEA”) (for example, in the USA). It may also be processed by workers operating outside the UK/EEA who work for us or for one of our service providers.

In the event, your personal information needs to be transferred outside of the UK/EEA, we will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law(s) and are carefully managed to protect your privacy rights and interests and that transfers are limited to countries which are recognised as providing an adequate level of legal protection, or where we are satisfied that alternative arrangements are in place to protect your privacy rights.  Our standard practice when transferring personal data outside the UK/EEA is to:

Put in place binding corporate agreements, which will include the relevant adopted standard contractual clauses for transferring personal information outside the UK/EEA, to ensure that your information is safeguarded.
Ensure that the country in which your personal information will be handled has been recognised as providing an adequate level of legal protection, or where we are satisfied that alternative arrangements are in place to protect your privacy rights.
In the limited circumstances that information is transferred within Scottish Rail Holdings, ensure such transfers are covered by an intra-group data sharing agreement entered into by all relevant entities within the group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
Carefully validate any requests for information from law enforcement or regulators before disclosing the information.
We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information.

Service disruption messages are sent by our third party communications platform provider, Twilio Inc., who operate and process personal data from the USA. Please view their privacy notice for details about how they process your personal data when they acting as a separate data controller or when acting as our data processor, available from https://www.twilio.com/legal/privacy.

10. Security of Your Personal Information

We take precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction.  We protect personal data using a variety of security measures including (but not limited to): limiting access on a need-to-know basis, password protected access; data back-up; encryption; firewalls; and secure storage facility with appropriate security restrictions.  Call recordings are stored securely, with access to the recordings controlled and managed by the Guest Experience Director and Guest Service Centre Manager.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Please ensure that any passwords which you are given or created by you to access our services are kept secure and safe.

11. How Long We Keep Your Personal Information

We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this Policy. Where your information is no longer needed, we will ensure that it is disposed of in a secure manner. If you would like further details about our retention policies, please contact us at enquiry@sleeper.scot.

Listed below are the general criteria we use to determine how long we will keep your personal information, where upon we will either delete or anonymise the data:

  • We will continue to keep your personal information while we are providing goods and services, or if we have an ongoing relationship with you (e.g. you hold an account with us, we are delivering a contract, you are a supplier to us or you have an ongoing complaint). Generally, we keep booking data and associated correspondence for seven (7) years from date of booking, along with the associated encrypted transaction.
  • We retain CCTV recordings centrally for up to 30 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies.
  • We generally store transcripts of your live/web chat conversations with us for as long as necessary after the interaction unless it is necessary to retain the transcript for a longer period to respond to your enquiry.
  • We retain call recordings for up to 434 days from the date of their recording unless there is a relevant incident, complaint, investigation, legal proceedings or legal obligation which requires us to retain the recording for longer.
  • We will retain purchase orders, invoices and receipts for six (6) years (where the information is no longer needed or the six (6) years have passed, we will ensure that it is disposed of in a secure manner).
  • We will retain contracts for a minimum of six (6) years (unless it is required for a longer period)
  • We will retain general correspondence and papers (including emails) received by us (excluding complaints and investigations) for up to 6 years.
  • Our register of feedback, complaints and investigations are reviewed every 6 years.
    Images and messages provided by you on our social media feed with be kept until you ask for them to be deleted.
  • Where applicable, your IP address is kept in accordance with your cookie preferences (for further information on our cookie policy, please see section 6).

In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with contractual, legal, regulatory, tax and/or accounting requirements.

12. Your Legal Rights in Respect of Your Personal Information

You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Portability of the personal information you provided us, in certain situations.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
Object to processing of your personal information by us or on our behalf for direct marketing (including profiling) and in certain other situations (such as processing carried out for legitimate interests).
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party.
Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 7 for details about withdrawing consent to marketing).

Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request. We may also charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

If you would like to exercise any of these rights, please submit your requests to the Guest Services Centre addressed to the Data Protection Champion via email at enquiry@sleeper.scot, or the Data Protection Office as detailed below in section 13. Subject to legal and other permissible considerations, we will make every effort to honour your request promptly to inform you if we require further information in order to fulfil your request. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we have to others, or if we are legally entitled to deal with the request in a different way.

For any personal information processed by a third party (except the Transport Scotland) for which they are a data controller and not as a joint data controller with Caledonian Sleeper Limited, please contact that third party direct to exercise your rights.

13. Data Protection Office

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Policy. If you have any questions about this Policy or how we handle your personal information, please address to:

Data Protection Officer

Caledonian Sleeper Limited

1-5 Union Street,

Inverness,

IV1 1PP

Alternatively, please email dpo@caledoniansleeper.scot. For any questions or queries relating to or for the Transport Scotland, please raise it with Us in the first instance and where required, We will directly communicate with the Transport Scotland on your behalf or forward the matter directly to them for their action.

14. Complaints

We ask that you please first attempt to resolve any issues or concerns with us first, although you have a right to contact the Information Commissioner’s Office (ICO) at any time and file a complaint where you believe there have been an infringement of data protection laws.

The contact details for the ICO are available at: https://ico.org.uk/concerns or via telephone: 0303 123 1113. The ICO will then investigate your complaint accordingly.

15. Changes to this Policy

We may amend this Policy from time to time to keep it up to date with legal requirements and the way we operate our business. Please regularly check this page for the latest version of this Policy. If we change this Policy, we will post the details of the changes on this page. Any changes will be effective when posted and your continued use of this site will indicate your acceptance of these changes. If we make significant changes to this Policy, we may notify you of these via our home page or by email and/or post.

This Policy was last reviewed and updated in June 2023.