Privacy Policy

International Rail Ltd - Protecting Your Privacy

International Rail Ltd - Privacy Notice for GDPR

This page contains multiple sections.

Please ensure that you read each section that is relevant to you.


This Privacy Notice explains in detail the type of personal data that we may collect about you when you, or your employer, or your authorised representative interacts with us. It also explains how we store, process and keep your data safe. This notice applies to current, future and former recipients of International Rail Ltd services.

With this document we endeavour to keep you fully informed about our policy, and how International Rail Ltd uses your data for the purpose of providing rail travel services.

This Privacy Notice will be updated from time to time. The last update date of this policy will be at the bottom of this page.

In respect of data we already hold about you, received either for your current or previous rail ticket or pass order and any data submitted to us in future by you, or your authorised representative(travel agent) International Rail Ltd is the data processor.


The use of the words "we", "our" and "us" in this Notice refers in each case to International Rail Ltd.

The use of "you" and "your" in this Notice refers in each case to Rail Ticket &/or Pass holder the traveller.

When referring to “your information” or “your data” this applies to the data of the Rail Ticket &/or the Pass holder/traveller in the order that includes information or data supplied by you, your authorised representative.

The terms defined in the singular have a comparable meaning when used in the plural, and vice versa.

Who is International Rail?

International Rail Ltd provide global rail passenger services to public and trade on&offline directly and/or via authorised representatives.

Explaining the legal bases on which we rely

The law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:

Legitimate interests

This effectively means that we can collect, process and store your information if:

We have a genuine and legitimate reason and we are not harming any of your rights and interests

When you provide your information to us we use your information to pursue our legitimate interests in a way which might reasonably be expected as part of providing Rail Travel Services to you, which does not materially impact your rights, freedom or interests.

We will use your data which you have given to us to issue your with Rail Travel Services as part of your order or via your authorised representative. .


For specific purposes or requests, we collect, process and store your data with your consent.

When you are purchasing Ticket &/or Pass, online, via call centre or by sending us a form relating to your order.

Legal compliance

If the law requires us to, we may need to collect, process and store your data. 

This means that we must pass details of alleged Travel Irregularities or fraudulent use of our services to: Train Operating Companies, their agent (providing your travel services), so that they can investigate. We also pass on details where or a law enforcement agency believe you or other individuals in that order are involved in fraud or other criminal activity.

Why do we collect your data?

We have a genuine and legitimate reason to collect, process and store your data solely for the purpose of administering and issuing you with Rail Ticket &/or Pass service. We only collect, process and store data that is required to issue your Rail Ticket &/or Pass.

Why we collect your data:

·  To administer, fulfil and issue Rail Ticket &/or Pass to you.

·  To check the eligibility to Rail Ticket &/or Pass service that you request, purchase, amend or cancel.

·  To respond to your queries and complaints.

Holding your information enables us to respond to your queries. We may also keep a record of this to inform any future communication and to demonstrate how we communicated with you throughout. We do this on the basis of our legitimate interests in providing you with the best service and, in addition, understanding how we can improve our service based on your experience.

·  To process payments for lost and damaged Ticket/Pass. We do this on the basis of our legitimate business interests.

·  To identify any fraudulent requests or purchase of Ticket/Pass service that would comprise the integrity or continuing provision for added service you may require (for example seat reservation).

If we discover, or are made aware of, any criminal activity or alleged criminal activity from contacts at the Train Operating Companies, employers, or other national and international rail travel providers, we process this data for the purposes of preventing or detecting unlawful acts.

·  To comply with our legal obligations to share data with law enforcement.

·  Time to time to send you information of our products if you have opted in. You are free to opt out of receiving these requests from us at any time by letting us know.

In specific circumstances, we also have your consent to collect, process and store your data solely for the purpose of administering and issuing you with rail ticket &/or pass product services. We only collect data that is required to validate your eligibility for such product.

These circumstances are:

·  To administer and issue rail ticket &/or pass services to you which you are eligible

·  To check the eligibility to rail ticket &/or pass service that you may request

·  To respond to your queries and complaints.

How do we collect your data?

To provide you with your rail ticket &/or pass service, we can create a record on our database for you. We can only get this initial data from you or authorised representative. Once we have a record for you we will only collect, process and store data where it affects your rail ticket &/or pass services or the eligibility to them in the following ways:

·  When you advise us of any change that affects your rail ticket &/or pass service for you

·  When a Train Operating Company or law enforcement agency contacts us about possible fraud involving you.

·  When you’ve given a third-party permission to share with us the information they hold about you.

What data do we collect?

We collect, process and store the following categories of personal information about you. We will only collect your data where it affects the administration of your rail ticket &/or pass service for the eligibility to them of you.

o  your names including names in passport

o  your title

o  your nationality &/or country of residency where it was required for the rail ticket &/or pass service.

o  your postal address or that of your authorised representative, including date last submitted or checked

·  date of birth

·  contact details:

  • your personal and/or work email addresses
  • your home and/or mobile phone numbers

o  where we have made notes on the system relating to the administration of your rail ticket &/or pass services.

o  We note your preference as to whether or not you wish to be included in our promotional communication

We will also collect, process and store notes from our conversations with you, details of any complaints or comments you make, and how and when you contact us.

How do we protect your data?

We know how much security of your data matters. We treat your data with care and take all appropriate steps to protect it.

We secure access to all areas of our systems and websites including where you are uploading forms securely using encryption, for example ‘https’ technology.

We do not store payment card information.

We regularly monitor our systems for possible vulnerabilities and attacks, to identify ways to further strengthen security. Third parties only process your personal information on our instructions and only where they have agreed to treat the information confidentially, to keep it secure and destroy it as soon as it is no longer needed.

We want you to feel confident about using our Online Services to make travel arrangements, and we are committed to protecting the information we collect. While no Online Services can guarantee absolute security, we have implemented appropriate technical and organisational measures to protect the personal information that we collect and process about you. For example, we employ firewalls and intrusion detection systems to help prevent unauthorised persons from gaining access to your information. In addition, only authorised employees are permitted to access personal information, and they may only do so for permitted business functions”

How long will we keep your data?

One of the key principles of the General Data Protection Regulations (GDPR) is that the personal data we collect, process and store shall be adequate, relevant and limited to what is necessary for the purpose for which it was originally collected. As rail ticket &/or pass services may cover multiple years, it is necessary to retain your personal data for the duration of the maximum length of the service including the duration of the time, laws for taxation (HMRC) and law enforcement requirements and requests stipulate.

We are unable to erase your data where it is needed to store for above purposes.

Who do we share your data with?

We sometimes share your data with trusted third parties, such as Train Operating Companies or their authorised agents in order to provide your rail ticket &/or pass service validating your eligibility for that service.

We also share your data with print and fulfilment facilities that issue your rail ticket &/or pass services on our behalf.

We currently may supply your data to our IT system operating companies in order to supply you your required rail ticket &/or pass service for printing and fulfilment services:

The policy that we apply to those organisations is to keep your data safe and protect your privacy is that:

·  We provide only the information required to perform the specific service.

·  They may only use your data for the exact purposes we specify to them.

o  When the specific rail ticket &/or pass service production has been completed, they do not hold the data any longer than is otherwise legally required of them.

o  If we stop using their services, any of your data held by them will be requested to be deleted without delay, unless it is otherwise legally required to be stored securely by them.

The IT companies that support our database and other business systems may have access to your data in order to maintain our systems. These are:

-  Random Digit Ltd

-  DotSquares Ltd

-  Horizon Telecom Ltd

These companies operating in the area governed by GDPR legislation, have security measures in place which comply with GDPR regulations.

Sharing your data with third parties for their own purposes:

We will only do this in very specific circumstances, for example:

·  For fraud management, we may share information about alleged fraudulent activity that involves the use of rail ticket &/or pass services. This may include sharing data about individuals with law enforcement bodies, Train Operating Companies and their authorised agents. The data disclosed may also include journey data where this is available.

We may also need to share your information with a regulator or to otherwise comply with the law.

We may also be required to disclose your data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take your privacy into consideration.

For further information please contact us through below contact details.

Where is your data processed?

Sometimes we may share your data with third parties and suppliers outside the European Economic Area (EEA) but only in response to a request from you for specific rail ticket &/or pass services for these countries. (Including the IT operators that support our database and other business systems may have access to your data in order to maintain our systems)

Protecting your data outside the EEA

Apart from the circumstances described above, we do not process or store any data outside of the EEA.

What are your rights over your personal data?

An overview of your different rights

You have the right to request:

·  Access to your data that we hold about you, free of charge in most cases

·  The correction of your data when incorrect, out of date or incomplete

·  That we stop using your data for other than originally collected purposes

·  Deletion of your data that we hold about you (excluding what current law requires us to hold)

·  You can contact us to request to exercise these rights at any time as follows:

Contact Us:  See below section for contact details

If we choose not to action your request we will explain to you the reasons for our refusal.

Where we rely on our legitimate interest

In cases where we are processing your data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.

We must then do so unless we believe we have a legitimate overriding reason to continue processing your data.

Checking your identity

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.

If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to do so.

How can you stop the use of your data for service quality surveys?

If we have sent you a survey about our services and you no longer want to receive surveys, simply let us know and we will stop. You can do this by:

Contact Us:  See below section for contact details

International Rail Ltd web page

International Rail Ltd Privacy Policy is documented at 

-  https://www.internationalrail.com/privacy-policy

-  https://www.internationalrail.com/business/privacypolicy

Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your data, you have the right to lodge a complaint with the Information Commissioner’s Office.

You can contact them by calling 0303 123 1113.

Or go online to www.ico.org.uk/concerns (opens in a new window; please note we are not responsible for the content of external websites)

If you are not based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.

Any questions?

We hope this Privacy Notice has been helpful in setting out the way we handle your data and your rights to control it.

If you have any questions that haven’t been covered, please contact us and we will be pleased to help you: See below section for contact details

Contact Details

International Rail Ltd / GDPR Personal Data Handling 
PO Box 153 
Alresford, SO24 0BY 
United Kingdom

e:  privacy@internationalrail.com

About the use of cookies

Cookies and other technologies

Cookies are small data text files which can be stored on your computer’s hard drive (only if permitted by your web browser). Our website uses cookies for the following main purposes:

– To help us recognise your browser as a returning visitor as well as save and remember any preferences that may have been set when your browser previously visited our site.

– To help evaluate as well as research the effectiveness of the features in the website and as well as offerings, advertisements and emails (by determining which emails you view and act upon).

In most browsers the Help portion of the toolbar will contain information how to prevent your browser from accepting any new cookies, how set your browser to notify you in the event you receive a new cookie, or instructions to assist you to disable cookies completely.

Our site may use web beacons (commonly known as pixel tags, Web bugs or clear gifs), these are tiny graphics including a unique identifier, function similar to cookies, placed in the web page code. Web beacons are used to monitor user’s traffic patterns from one page to another within our site, delivering or communicating with cookies, helping us to understand if you came to our site via an online advertisement placed on a third-party website, plus to improve site performance. Also our service providers may be allowed to use web beacons to track the visitor traffic as well as their actions whilst on our site. These are helping us measure and determine the effectiveness of our content as well as other offerings.

In case you have questions regarding our use of cookies and/or other technologies, please contact us via our email address: (see our contact details)

(Last update – Mar 2019)