RE Internet Systems Limited or REIS is committed to protecting and respecting your privacy when you use our services.
- What personal data we collect from you when you use our website.
- How we will collect and use that information;
- How we keep information secure; and
- How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.
Information we may collect from you
- How we use your information
- Sharing or disclosure of your information
- Types of information we collect
- Website visits and purchases
- Where we store your personal information
- Information Security
- Your rights
For the purposes of the General Data Protection Regulation Act 2018, the data controller is:
RE Internet Systems Ltd (part of the RE Digital Group Ltd)
Our Data Protection Manager contact details (DPM) are:
RE: INTERNET SYSTEMS LTD
21 Marina Court
More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website.
The Information Commissioner is our regulator for data protection matters.
Information we may collect from you
We may collect and process information about you when you:
- buy tickets;
- contact us
We collect information such as your contact details, ticket purchases, stations for payment and refund details.
Sometimes we obtain details from third parties, for example for concessionary tickets or staff tickets or passes, or for legitimate business reasons.
How we use your information
We will only use the information you provide as permitted by Data Protection Act (DPA). Our reason(s) for using your data will vary depending on how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for use of your data include:
- To provide you with the service - things like carrying out our obligations arising from any contracts - selling tickets, making, and taking payments. We mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health, and safety, improving our services and other legal obligations, like providing information to our regulators.
- To provide you with details of services, information, and customer service - this is based on our legitimate interests, to run this service and associated services. Sometimes it is part of our contract or our other legal obligations
- To run our booking service and improve it - we believe in investing in our railway services, like monitoring passenger numbers, improving technology, run our services safely and be a good employer - we call these our legitimate interests. Some of these are also covered in our legal obligations, not just to customers, but under contracts with [Luton Airport Limited] the Department for Transport or Regulators. Some data is also shared to run interoperable services – in the Rail Industry this is overseen by the Rail Delivery Group - this is how you are able to use a ticket on a train and tube for example or use a rail Discount card.
- For your safety and security.
- For fraud and crime prevention.
Sharing or disclosure of your information
We will only share or disclose your information as set out in this Policy or in accordance with DPA and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with the DPA and can keep your data secure.
- We may share or disclose information for the following reasons: We use data processors to provide or assist with some of our services, for example, the processing of bookings. Where we do so, they must agree to strict contractual terms and to keep your data secure;
- Where we share data to respond to your complaints or administer requests you have made, either to us or another party such as Luton Airport Limited.
- To process payment card transactions;
- To protect our legitimate business interests, as outlined above;
- In respect of information provided to us for marketing purposes only (including freely given consent), to us and Luton Airport Limited and/or any successor operator in order that they may contact you for marketing purposes in the event that we cease to operate this service;
Types of information we collect
Website visits and purchases
This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:
- Collection of visitor information;
- Cookies; and Session Cookies.
- Other storage technologies
Collection of visitor information
We will only use the information that we collect about you lawfully, in accordance with the DPA.
The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by REIS on this website (the "Site") for operational purposes, for example member registration or processing payments.
REIS gathers general information about users, for example, what services users access the most and which areas of the site are most frequently visited. Such data is used in the aggregate to help us to understand how the site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the site and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.
When you register with the site, we may ask for personal information such as your name, contact details, and other details. Once you register with the site and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to other products and services. We may contact you regarding site changes or changes to other products or services that you use.
If you buy a ticket online, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your request.
You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails from RES. You may unsubscribe at any time by clicking the unsubscribe button at the bottom of the email. Please note changes to your subscription preferences can take up to 14 days to take effect.
Alternatively write to our Customer Relations Team:
What is a cookie?
A "cookie" is a small text file that is placed on your equipment when you visit a website (equipment like computer, phone, and tablet).
There are several types of cookies:
The functional or session cookies are used to provide services or to store your preferred settings. For example for: remembering the products you purchase during online shopping; memorizing and passing on the information that you enter during the log-in process or that you leave behind on the various web pages during the ordering process, so that you do not have to enter the same data every time; saving your preferences; detecting abuse of our websites.
These cookies are used to analyse your visit to our website. For example, we analyse the number of visitors visiting our websites, the duration of the visits, the order of the pages visited and whether the pages of a website need to be adjusted. With the help of the collected information, we can organise our websites more user-friendly. Furthermore, these cookies are used to solve possible technical problems on the websites.
Marketing and tracking cookies
Only if you have given us permission in advance will we use tracking cookies for commercial purposes. These cookies, often placed by third parties, help us to be able to offer you personalised offers. Third parties can follow your internet behaviour with tracking cookies.
Cookies from external parties
Some of the cookies are placed with the consent of REIS by third parties with the aim to bring certain products and services to your attention or to give you direct access to social media. For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, we refer to the privacy statements of these parties on their own websites. These statements can change regularly and REIS has no control whatsoever. Would you like to know more about cookies? Go to https://www.allaboutcookies.org/
Access to our database containing personal information on registered users of the site is restricted. To increase security, we ask you to input a password when you register as a user of the site. Please keep this password secret. In addition, we encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they traverse the Internet. The SSL is certified by Verisign and is recognised as a secure way to pay on-line. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g., e-mail) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.
We do not routinely process children’s data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process the child’s data.
Where we chose to rely on consent as the legal basis for processing children’s personal data, consent may be required from a person holding ‘parental responsibility’ (note that under the GDPR the UK could chose to implement a lower age boundary than 16 in defining a “child” in law, if they are not below 13).
Where we store your personal information
The information that we collect from you will only be stored in the UK or, where it is necessary to disclose it to our processors located outside the UK, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the Data Protection Manager (see page 1) if you wish to find out more about the safeguards.
We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.
Unless stated otherwise we will aim to satisfy your instruction or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain why.
Ask for a copy of your personal data
You are entitled to request a copy of the personal information we hold about you.
Please contact the Data Protection Manager, as follows:
RE: INTERNET SYSTEMS LTD
21 Marina Court
We may need to ask for some further information, such as checking who you are.
Refer to the website for a copy of the Subject Access Report (SAR). Please define the format you wish to receive your information.
Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.
In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free or provided below.
Rectification / Restriction
If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.
This is also known as the “Right to be forgotten”; you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.
Withdrawal of consent
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting:
Data Protection Manager
RE: INTERNET SYSTEMS LTD
21 Marina Court
Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time, as above or where available updating your preference centre or clicking on the appropriate link in the communication. We will act upon such an instruction as soon as possible.
Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used, and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
How we deal with rights requests
We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can decide about what you wanted to do next.
There are various limitations and exemptions in relation to the exercise of rights in DPA - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
The Data Protection Manager role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against the business, please contact our Data Protection Manager; or the Information Commissioner.
If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please let us know. Our Data Protection Manager is the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Manager:
Data Protection Manager
If you are not satisfied with the response you can complain to the Information Commissioner. Their contact details are:
Head office Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510
How long do we keep your personal data for?
We will store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We will also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you haven’t opted out of receiving marketing communications from us.
This Policy was last updated on 15 February 2023