Privacy policy

Introduction

Thameslink Southern Great Northern Limited (TSGNL) takes your privacy seriously and explains in this notice how we use your personal information. Thameslink Southern Great Northern Limited operates the Thameslink, Southern, Great Northern and Gatwick Express services. This Privacy Notice explains:

what personal information we collect and how we use it;
why we are allowed to use your personal information (our “lawful basis”);
who we share your personal information with;
how long we keep it;
your rights under data protection law and how to exercise them; and
how to contact us
how to complain.

Our full company name is Thameslink Southern Great Northern Limited and we are registered with the UK’s data protection regulator – the Information Commissioner’s Office ("ICO"). ICO registration number: ZC126131

How to contact us about your personal information

If you have any questions about how we use your personal information, or you want to exercise your rights, you can contact our Data Protection Officer via our Data Protection Manager:

Email: privacy@gtrailway.com
Write to: Data Protection Manager, Thameslink Southern Great Northern Limited, 1st Floor, Monument, 24 Monument Street, London, EC3R 8AJ

What is personal information?

“Personal information” (or “personal data”) means information that can identify you as an individual when combined with other information we hold, or on its own. This includes things like your name, address, phone number, email address, payment details when you buy tickets, and information about how you use our website or travel on our services.

What does “processing” mean?

Processing covers how we collect, use, store, share and delete your personal information. The data protection laws we follow We follow the rules set out in the following, as amended from time to time:

the UK General Data Protection Regulation (UK GDPR);
the Data Protection Act 2018 (DPA 2018);
the Privacy and Electronic Communications Regulations (PECR); and
the Data (Use and Access) Act 2025 (DUAA) – changes to UK data protection laws will be implemented over time (expected between now and autumn 2026).

(together the “Data Protection Laws”)

Contents of this Privacy Notice

What personal information we collect
1. Information you give us directly
2. Information we collect automatically
3. Customer Help and Information Points (Help Points)
4. CCTV and body-worn cameras (stations and on trains)
5. Information from other organisations
6. Revenue protection and fraud prevention information
7. Special category and criminal offence data
8. Inferred data
How we use your personal information (purposes and lawful bases)
Who we share your personal information with
How we protect your data when sharing it
CCTV – who is the controller (TSGNL vs Network Rail)
Website, accounts, passwords and payment information
Where we process your personal information and international transfers
How we keep your personal information secure
Your rights and how to exercise them
How long we keep your personal information
Data Subject Access Requests (DSAR)
Privacy information for children and young people
Links to other websites
Changes to this Privacy Notice
How to complain

1. What personal information we collect

We collect different types of personal information depending on how you interact with us. This includes:

1.1 Information you give us directly

We collect personal information when you:

fill in a form on our website or mobile app, or contact us by phone, email, webchat, letter or social media;
register for an account or smartcard on our website or app (including signing in via a social media account);
subscribe to services such as journey alerts or newsletters;
purchase products or services (including tickets or parking) or request a refund;
choose to receive marketing by email, post, SMS or other means;
register to use onboard or station Wi‑Fi;
enter a competition or promotion or complete a survey;
open our emails or interact with push notifications;
call our customer service team (we record calls for training, quality and security purposes);
use tickets and smartcards (e.g., what stations the ticket or smartcard was used at and at what time).
enter competitions we run
participate in opinion panels or marketing forums

1.2 Information we collect automatically

When you use our website, app, or onboard/station Wi‑Fi, we automatically collect information from your device. This may include:

device type and settings;
IP address;
location data (if you allow this on your device); and
browsing behaviour (such as pages visited or links clicked).

1.3 Customer Help and Information Points (Help Points)

Help Point calls may be recorded and/or monitored for safety, service and training purposes. In order to avoid delay in providing assistance, advance notice is not always given at the time of the call. What we collect: audio recordings, time and date, the location of the Help Point and, where provided by you, your name and contact details.

1.4 CCTV and body‑worn cameras

We use CCTV cameras at stations we manage, on our trains, and our staff wear body ‑worn cameras to help keep passengers and staff safe, prevent and investigate incidents, and support revenue protection activities. Body‑worn cameras may record audio and video and may be used in situations such as fare disputes or anti‑social behaviour. TSGNL is the controller only for CCTV used at TSGNL managed stations, on TSGNL trains, and body-worn cameras used by TSGNL employees. Stations and trains controlled by other organisations are responsible for any CCTV and body-worn cameras used at those stations or on those trains. Rail replacement buses When rail replacement bus or coach services are provided, CCTV or other recording equipment on those vehicles may be operated by the relevant bus or coach company rather than by us. Where that is the case, the bus or coach company will be responsible for how that footage or recording is used. If you want to request access to footage or recordings from a rail replacement bus or coach, you may need to contact the relevant bus or coach company directly. The operator’s details may be shown on notices inside the vehicle or made available with the service information for your journey. See section “CCTV – who is the controller “ below for more information.

1.5 Information from other organisations

We may receive personal information about you from:

law enforcement agencies (e.g., the police or British Transport Police) in relation to incidents, investigations, or security concerns.
rail station operators if an incident involving you takes place at a station where we operate.
other train operating companies (“TOCs”) for fraud prevention or revenue protection.
credit reference agencies or fraud prevention databases if we need to verify information as part of fraud prevention or security checks.
Rail Delivery Group in relation to travel irregularities and fraud, investigations, operational communication.
Network Rail in relation to customer service, complaints, operational purposes, or security concerns.

1.6 Revenue protection and fraud prevention information

We process information to detect, investigate and prevent fare evasion or other fraudulent activity connected with our services and, where relevant, the services of other train operating companies. We may share relevant information for this purpose and receive relevant information from others. In the course of revenue protection or penalty fare activity, we may also collect certain information necessary for evidential purposes (for example, a brief physical description, proof of age/identity details, and information relevant to an appeal). This processing is carried out in line with our statutory obligations (such as those under the Regulation of Railways Act 1889 and Railway Byelaws) and under Schedule 2, Part 1 of the Data Protection Act 2018, which permits the use of personal data for the prevention or detection of crime. We use a machine learning programme to detect fraudulent activities in connection with our services and the services of other train operating companies. We do this to help detect unusual patterns, but decisions with a significant impact are not made solely by automated means.

1.7 Special category and criminal offence data

Sometimes we need to process information that is treated as more sensitive under data protection law, such as health information (for example, to provide Passenger Assist) or criminal offence data (for example, where fraud or other offences are suspected or investigated).

1.8 Inferred data

Sometimes, we make reasonable assumptions based on the data we already hold. For example:

If you regularly buy children's tickets, we may infer that you are a parent or guardian.
If you travel frequently between the same locations, we may assume you are a commuter.

These insights are useful for us as a business and service provider because they allow us to:

Improve our services: Understanding travel patterns helps us plan for demand, enhance customer experience, and develop new offers that suit different types of travellers.
Make our communications more relevant: By grouping customers into broad categories (such as "commuters" or "families"), we can send information about offers or services that are more likely to be of interest to you.

2 How we use your personal information (purposes and lawful bases)

Under UK data protection law, we must have a valid reason (a “lawful basis”) for using your personal information. The lawful basis depends on what we use your information for. These are the lawful bases we rely upon:

Fulfilling a contract – We need your data to provide the service you have requested. Example: When you buy a train ticket, we collect your payment details and email to process the transaction and send your ticket.
Consent – You have actively agreed to us using your data for a specific purpose. Example: If you opt in to receive marketing emails, we rely on your consent to send them. You can withdraw consent at any time.
Legitimate interests – We have a business reason to use your data, as long as it does not override your fundamental rights and freedoms. Example: We may analyse travel patterns to improve services or share passenger data with a new train operator when a franchise changes.
Legal obligation – We must process your data to comply with the law. Example: Keeping financial records for tax purposes or sharing data for fraud prevention.
Vital interests – We need to process your data to protect life or safety. Example: If you become seriously unwell on a train or station, we may share relevant medical details with emergency services.
Substantial public interest – We use your data for matters that serve the public good. Example: Investigating fraud or criminal activity.
Explicit consent – In some cases, we need your clear and specific agreement to process sensitive personal data. Example: If you use Passenger Assist, we may store details of your mobility requirements. You can remove or update this at any time.
Public interest processing – We deliver services under direction from the Department for Transport and some processing may be considered a task carried out in the public interest.

Summary tables: examples of how we use your personal information and the lawful bases we rely on

The tables below provide examples of common processing activities and the lawful bases we typically rely upon. They are not an exhaustive list of every instance in which we may process personal information. For full details about how we use your information, please read the relevant sections of this Privacy Notice.

When do we rely on your consent?

We may rely upon your consent as the lawful basis for processing in specific situations. The examples below show when we typically rely upon consent and what it covers. Where we rely upon consent, you can withdraw it at any time. However, if consent was not the lawful basis we relied upon for a particular activity, there is no consent to withdraw.

Purpose of Processing	When We Rely on Your Consent
Sending you marketing communications (including offers, service updates, and promotions)	We only send direct marketing if you’ve opted in.
Journey alerts and ticket sale notifications	We send these when you’ve asked to receive them – for example, alerts for a specific route.
Sharing data with partner services or platforms (e.g. social media tools, referral schemes)	We only ask for your consent if required by law or where the third party will use your data for their own purposes.
Personalising your website experience (e.g. recommending relevant services)	Enhancing the customer experience makes our service more useful.

When we process your data to perform a contract

We use your data when it is necessary to fulfil a contract with you, such as providing a service you have requested. If we need personal data to provide a product/service (contract), and you don’t provide it, we may be unable to provide the service (e.g., issue a ticket/refund/create an account).

Purpose of Processing	Why This Applies
Responding to your enquiries and complaints	We need to respond to customer requests as part of our service commitment.
Fulfilling the service or providing the information you’ve requested	This is necessary to deliver the services you have requested.
Handling the administration of your payment, issuing tickets/products, or confirming orders	We need to process transactions and issue tickets or confirmations.
Providing post-sales support (e.g. complaints, refunds, ticketing or travel issues)	This ensures you receive support for any issues related to your purchase.
General record-keeping and passenger relationship management	We maintain records to manage our customer relationships.

When we process your data to comply with a legal obligation

We are required by law to process certain types of data, including for safety, security, and regulatory purposes.

Purpose of Processing	Why This Applies
Contacting you about updates to this Privacy Notice or changes to data processing	We are legally required to inform you of significant notice changes.
Using CCTV on our trains and in stations to prevent, deter, and detect crime	We have a legal duty to ensure safety and security on our trains and at stations.
Providing CCTV footage to law enforcement agencies	We may be required by law to share CCTV in response to a court order or police investigation.
Establishing and enforcing our legal rights	We must take action to protect our business operations and customers.
Complying with requests from law enforcement agencies, courts, or regulators	We are required to share certain information as mandated by law.
Managing a sale, restructuring, or merger of our business	We must follow legal requirements in corporate transactions.
Keeping records to comply with tax, consumer protection, and data protection laws	We have legal obligations to retain records for regulatory purposes.

When we process your data for our legitimate interests

In some cases, we process your personal data because it is necessary for our business operations, provided it does not override your rights and freedoms.

Purpose of Processing	Why This Applies
Responding to enquiries, complaints, and post-sales support (e.g. refunds, ticketing issues)	It is in our interest to provide good customer service and ensure customer satisfaction.
Fulfilling the service or providing requested information	We must provide accurate and timely service to customers.
Handling the administration of payments, issuing tickets, or confirming orders	Ensuring smooth transactions is essential to our service.
Sending service communications (e.g. ticket confirmations, updates, journey alerts)	Keeping customers informed about their travel plans is part of our engagement with them.
Improving our website, services, and products	Continuous improvements help us better meet customer needs.
Conducting market research and surveys, analysing marketing activities	Gathering feedback allows us to refine our services and better engage with customers.
Assisting with Wi-Fi technical support and ensuring website functionality	Ensuring reliable digital services benefits customers.
Using CCTV to prevent, deter, and investigate crime	CCTV helps maintain security and supports law enforcement.

When we process your data for substantial public interests

Purpose of Processing	Why This Applies
Prevention and detection of fraudulent activity.	To prevent and detect fraud against TSGNL and other Train Operating Companies which not only impacts TSGNL and TOCs financially but also honest fare paying customers.
To understand the accessibility requirements of our customers	To comply with the Equality Act 2010 and take steps to prevent unlawful discrimination and to ensure fair and equal treatment of individuals.
To prevent, detect, investigate and respond to unlawful acts	This processing may be necessary where we need to protect passengers and colleagues, support enforcement action, or share relevant information with the police, regulators or other train operating companies, as appropriate.

When we process your data for Marketing purposes

We use your personal information to develop, analyse, and optimise our marketing activities, including sharing travel offers, ideas, and news with you. We only send marketing messages where we have:

Your consent (e.g., when you opt in to receive marketing emails).
A legitimate interest (e.g., where we have a commercial reason to contact you that does not override your rights).

With your consent we use your information to create a personalised experience on our website and to show you offers or rewards that are relevant to you. You can opt out of marketing at any time by:

Clicking the "unsubscribe" link in our marketing emails.
Replying "STOP" to a marketing text message (this will not stop essential service updates, such as ticket confirmations).
Logging into your TSGNL account and updating your marketing preferences.
Contacting our Data Protection team.

Important: Even if you opt out of marketing, you will still receive service communications, such as booking confirmations, disruption notices, and timetable changes.

Purpose of processing (Marketing)	Lawful basis / how you can control it
Sending you marketing communications (offers, promotions, news) by email/SMS/post	Consent (opt-in). You can control this using the opt-out methods described above.
Journey alerts and ticket sale notifications	Consent (where you have asked for alerts). You can update your preferences at any time.
Personalised marketing and recommendations	Consent (making communications more relevant). You can object and adjust cookie/privacy settings and your marketing preferences.
Enhanced Conversions & ad measurement (Google)	Consent. We may share a hashed version of your email address – meaning it is not shared in a directly identifiable form - with Google to measure ad performance. We rely on legitimate interests for this activity, in line with UK GDPR. You can object and adjust cookie/privacy settings and your marketing preferences.
Facebook Conversion API (ad measurement)	Consent. We may use Facebook Conversion API to track the effectiveness of our marketing campaigns. You can object and adjust cookie/privacy settings and your marketing preferences. If you visit our website via an advert served by Facebook, Facebook may log your behaviour on our website in accordance with its own privacy policy. We do not receive your personal data from this activity.
Personalising your website experience (e.g. recommending relevant services)	Consent to enhancing the customer experience makes our service more useful.

3. Who we share your personal information with

We share your personal information with third parties where necessary for business operations, service delivery, interoperability within the rail industry, and legal/regulatory requirements. We require processors to act on our instructions and protect your information. If you are under 18, we may share your personal data with your parents or the persons with parental responsibility for you. We may also share your personal data with your school to confirm your eligibility if you seek to claim a student pass or where you enter a competition run by us in conjunction with your school.

3.1 Third parties acting as our data processors

Some third parties carry out business functions on our behalf, such as website administration, IT support, ticket sales and payment processing, marketing and advertising services. These companies act as data processors under data protection law, meaning they only process your personal data based on our instructions. We ensure these third parties have appropriate security standards in place before sharing any personal data. Examples include:

IT service providers supporting website maintenance, software, data hosting, and backups.
Payment processors handling card payments for ticket purchases.
Mailing houses sending pre-booked tickets.
Wi-Fi suppliers supporting onboard internet services.
Customer service providers assisting with ticketing, complaints, and other passenger services.
Marketing and advertising services providers
Website analytics and customer research agencies
Our legal and professional advisors
Group company members

3.2 Third parties acting as independent data controllers

In some cases, we share your personal data with third parties who act as data controllers in their own right. This means they make their own decisions about how to process your data. We may share data in the following circumstances:

Future railway transition. We are currently owned and operated by DfT Operator Limited (DFTO), a government‑owned company. If ownership or operation of the company changes in the future, your personal data may be transferred automatically to the new operator to ensure continuity of service. This may include your bookings, customer service history, and - if you have opted in - your marketing preferences, so you continue to receive communications you have requested. Your data protection rights will not change, and we will update this Privacy Notice with any relevant changes. You can update or withdraw your preferences at any time.
Legal and regulatory requirements. We may disclose personal data to comply with legal obligations, enforce contracts, or protect the safety and rights of customers, employees, and others. In cases of suspected criminal activity, we may share relevant information with the police or British Transport Police (BTP)
Other train operating companies. Where relevant for fraud prevention purposes, or revenue protection, or where tickets are accepted on other trainlines due to services issues or delays.
Rail Delivery Group and other train operating companies to run interoperable services which allow you to use a ticket on a train and the tube or use a rail discount card other than where there are service issues or delays.
DFTO Group Train Operating Companies. The DFTO Group has established a centralised body tasked with railway enforcement by means of bringing private prosecutions and civil court proceedings under current railway legislation. We may disclose personal data in the furtherance of such enforcement and recovery operations.
Government and regulatory bodies. Where lawfully required, we may disclose personal data to judicial authorities, government and regulatory bodies, including the Department for Work & Pensions, Financial Conduct Authority, Information Commissioner’s Office, HMRC, and the police.

4. How we protect your data when sharing it

All personal information shared with third parties is transferred securely. When third parties act as data processors, they:

Must comply with our instructions and cannot use your data for their own business purposes.
Must have technical and organisational measures in place to protect your data.

For independent data controllers, we only share what is necessary after ensuring there is a lawful basis for sharing the data and use appropriate security during transfer.

5. CCTV – who is the controller (TSGNL vs Network Rail)

5.1 CCTV at stations managed by TSGNL

TSGNL is the controller for CCTV systems at stations that we manage. We use CCTV to help maintain safety and security, prevent and investigate incidents, and support revenue protection.

5.2 CCTV at stations managed by Network Rail

Network Rail is the controller for CCTV footage recorded at stations managed by Network Rail. If you need to access CCTV footage of yourself recorded at one of those stations, you must contact Network Rail directly. You can identify who manages a station across the network by visiting: https://www.nationalrail.co.uk/stations/

5.3 Requests for CCTV footage (DSARs)

Personal data in the context of CCTV or body-cam footage is an image, audio or other information from which a living individual (you) can be identified. In particular, you are the focus of the image which contains significant information about you, and/or audio that identifies you or where the processing of the image/audio will affect your data privacy rights. You can request CCTV footage of yourself as part of a Data Subject Access Request (DSAR), but there are limits on when we can provide it (for example, where footage includes other identifiable living individuals or where disclosure would prejudice a police investigation or where the request is a request is excessive or disproportionate – we may refuse your request). Important: If your request relates to CCTV footage recorded at a station managed by Network Rail, you must contact Network Rail directly. We do not control CCTV at those stations and cannot provide that footage. Extracting CCTV footage is a complex process and we will prioritise requests from law enforcement agencies before others. Disproportionate or unreasonable requests: Where a request is disproportionate or unreasonable, meaning that the effort required to fulfil them outweighs their necessity or benefit, we will decline your request. For example:

requesting footage for a delay repay claim: we will not provide CCTV footage to show you were on a train, as this is not required to assess delay repay claims and would use a disproportionate use of resources
requesting several days’ worth of footage: would be a disproportionate use of resources and will be declined
Requesting footage of a suitcase under a DSAR is an unreasonable request since an object like a suitcase falls outside the scope of the Data Protection Laws (which relate to identifiable living individuals). However, if the police request footage as part of an investigation, we will cooperate and provide it to them where appropriate.

5.4 CCTV retention

We keep CCTV footage for no longer than 31 days, unless it is required for an ongoing investigation, complaint, legal claim or by law. Car park incidents: If your car has been damaged in one of our managed car parks and you need CCTV footage, we require your insurer to request it on your behalf. However, insurers can take a while to process requests so we suggest you make us aware of the forthcoming request early on.

6. Website, accounts, passwords and payment information

6.1 Third‑party links

For your convenience, our website and apps may contain links to sites owned and operated by third parties. They have their own privacy policies, and we encourage you to review them. We do not accept responsibility or liability for the privacy practices of third‑party websites and your use of those websites is at your own risk.

6.2 Passwords

In order to increase security, we ask you to input a password when you register as a user of the site. Please keep this password secret. We cannot accept liability for any damages arising from your failure to keep your password secret.

6.3 Financial information (payments)

When you make purchases online, payment information is handled securely. Payment details are encrypted in transit using industry‑standard TLS. Depending on the service or reason for payment, payments are processed either by us or by our PCI-DSS compliant payment partners or other third‑party providers, and in all cases card data is handled in accordance with PCI‑DSS requirements.

7. Where we process your personal information

We aim to keep as much of your personal information as possible within the UK and the European Economic Area (EEA). If we transfer personal information outside the UK/EEA, we will ensure appropriate safeguards are in place as required by UK data protection law such as adequacy regulations or approved contractual terms; you can ask us for more information about the safeguards used.

8. How we keep your personal information secure

We use a combination of administrative, technical and physical safeguards to protect your information from unauthorised access, unlawful processing, and accidental loss, destruction or damage.

9. Your rights and how to exercise them

Your personal information is protected under data protection law, and you have specific rights. These rights do not apply in all situations, but if you ask to use a right we will explain whether or not it applies and, if not, why not.

The right to be informed – You have the right to know how we use your data. That’s why we have this Privacy Notice.
The right to correct inaccurate information – If your details are wrong, you can ask us to fix them. You may also be able to add missing information.
The right to object to processing – You can object to us using your data in certain cases:
- For direct marketing – you can always opt out
- When we rely on legitimate interests (unless we have a compelling reason to continue)
- When we carry out tasks in the public interest or exercise an official authority vested in us as controller (unless we have a compelling reason to continue)
- For statistical research, in some circumstances
The right to restrict processing – You can ask us to limit how we use your data:
- While we check its accuracy (if you’ve challenged it)
- If the processing is unlawful but you don’t want us to delete the data
- If we no longer need the data but you do, for a legal claim
The right to erasure (“right to be forgotten”) – You can ask us to delete your data in some situations:
- If it’s no longer needed for its original purpose
- If you withdraw consent (and consent was the legal basis)
- If it was processed unlawfully
- If we’re legally required to delete it

We may refuse erasure if we need to keep the data for legal, contractual, or regulatory reasons, or to establish or defend legal claims. If you later provide your data to us again (e.g. by signing up to marketing), we’ll treat you as a new customer.

The right of access (“subject access request”) – You can ask us:
- Whether we hold your data
- For a copy of your data
- How we use it (although this Privacy Notice covers most of that)

See below for more information on subject access requests.

The right to data portability – If we process your data under consent or contract and use automated systems, you can ask us to move it to another provider. This right is limited and unlikely to apply to most of our services.
Rights relating to automated decisions and profiling – If a decision with significant impact is made by automated means only (without any human involvement), you can request a human review and challenge the decision.
- We may use automated tools to help assess Delay Repay, refund, compensation or similar claims. These tools may help us check information such as journey details, ticket details, service disruption, eligibility and the value of any payment due. Where an automated tool is used, we keep appropriate checks in place. If you disagree with the outcome of a claim, you can ask for it to be reviewed by a person. If you remain unhappy after that review, you can escalate the matter through our customer complaints process.
The right to complain to the ICO – If you’re unhappy with how we’ve handled your data, you can contact the Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/

If you’d like to know more about your rights or want to use any of them, please contact our Data Protection Team.

10. How long we keep your personal information

We retain personal information only as long as necessary for the purposes described in this Privacy Notice, including meeting legal and regulatory requirements and handling claims, complaints or disputes. If you would like more detail about retention periods, please contact our Data Protection team.

11. Data Subject Access Requests (DSAR)

You have the right to ask for a copy of the personal information we hold about you. This is called a Data Subject Access Request (DSAR). We provide this information free of charge, except in limited cases - for example, repeat or clearly unreasonable requests. We aim to respond within one month of confirming your identity. If your request is very broad or complex and can’t be completed within a month, we will:

Send you the information we can within the deadline
Keep you updated on our progress
Provide the rest as soon as possible, in line with UK data protection law and ICO guidance

If you'd like a copy of your personal data, please email or write to our Data Protection team. Unless you ask for a different format, we’ll usually provide the data electronically - especially if your request was made by email or social media. We may ask you to narrow down your request if:

It’s too broad to process reasonably
It looks like you're trying to find something specific, and narrowing the scope will help us locate it faster

If we ask for clarification, we’ll explain why and help you refine your request so you get what you need as quickly as possible. If we hold personal data about you, we’ll:

Describe the data we hold
Explain why we’re processing it
Let you know where we got it (if not from you)
Say whether it’s been used for automated decisions
Confirm if it’s stored outside the UK or EEA, and what safeguards apply
Give you a clear, concise copy of the data

12. Privacy information for children and young people

We sometimes collect and use personal information about children and young people, for example where you travel on our services, use a child or student ticket, use our website or app, take part in a competition, request assistance, or are recorded by CCTV. Personal information means information that can identify you, such as your name, contact details, date of birth, photograph, ticket or smartcard details, journey information, or information about any help you need when travelling. We only use your personal information where we have a lawful reason to do so. This may include using it to provide tickets or services, keep you safe, prevent fraud or crime, respond to questions or complaints, provide assistance, contact a parent, guardian, school or local authority where appropriate, or comply with the law. We will not keep your personal information for longer than we need it. We may share it with other organisations where this is necessary and lawful, for example with a parent or guardian, your school or local authority, the police, transport operators, or organisations that help us provide our services. You have rights over your personal information, including the right to ask for a copy of it or ask us to correct it. In some cases, a parent or guardian may help you use these rights. If you are worried about how we use your personal information, you or someone helping you can contact our Data Protection Team.

13. Links to other websites

Our website may contain links to external sites. This Privacy Notice applies only to TSGNL and its brands and does not cover third‑party websites or organisations you access via such links. We encourage you to read the privacy policies of any external websites you visit.

14. Changes to this Privacy Notice

We review this Privacy Notice regularly to ensure it remains accurate and up to date. This Privacy Notice was last updated on: 31 May 2026

15. How to complain

If you have a complaint about how we handle your personal information, please contact our Data Protection Team first so we can try to resolve it. You also have the right to complain to the Information Commissioner’s Office (ICO): https://ico.org.uk/make-a-complaint/

Stay up-to-date

Subscribe to email updates. Get travel inspiration, journey updates and exclusive offers delivered straight to your inbox.

We will not pass on your personal information to any organisation outside of Great Northern.

If the legal company operating Great Northern changes in future, your personal data may be transferred to the new company to ensure continuity of service, including bookings, customer service history, and marketing preferences where applicable. You can withdraw your marketing preferences at any time. Your data protection rights will not change, and we’ll update this notice with details of the new data controller.

*Must be over the age of 16