Privacy policy – Littlepay
Privacy Policy
Last updated: March 22, 2022

Introduction

This website is operated by Littlepay Limited and its affiliates (“Littlepay”, “we” or “us”). Please see the cookies policy for information about how we use cookies.

Littlepay is committed to protecting the data which we have access to in the course of providing our services. Please take the time to review this Privacy Policy, which explains what personal data we collect, how we use it, and your rights. Littlepay Limited (“Littlepay”, “we” or “us”) is the controller of the data collected via or in connection with the services we offer in the European Economic Area and the United Kingdom, with the exception of our CNP solution, where we are the processor of the data collected. For residents of California, the United States, Littlepay Inc. controls the data described in the California Privacy Notice below.

What data do we collect and process?

Littlepay provides secure payment processing services to transport operators, enabling them to accept payment from individuals for travel on public transport using payment cards or pre-paid digital tickets (“Tickets”). Below, we describe when we collect your data and what data elements are collected.

Payment Data. If you tap your payment card when boarding public transport to pay one of the transport operators that use our services (a “Merchant”), or you purchase a Ticket online from a Merchant in order to pre-pay for your travel on public transport using our card-not-present (“CNP”) solution, we will process your Payment Data on behalf of the Merchant, which may include payment card “PAN” (personal account number), payment card type and payment card expiry details), and, for Tickets purchased online using our CNP solution, cardholder name, billing address, and CVV2. We may also collect Payment Data when you view your public transport payment history online.

Data about you provided by Merchants. We also collect data from our Merchants. This information may include your name, address, contact details, job role and employer details and any other information that you choose to provide us.

Merchant information. If you are a Merchant, we will process your login details for our online Merchant Portal (a PCI-compliant and responsive web portal for Merchants to view individual passenger transactions).

Device Identifiers and Usage Data. When you use our website, we collect certain standard information that is automatically sent by your browser to our website. This includes technical information about your device, such as your IP address, browser type, device identifiers, operating system, language, time zone setting, access times and any referring website addresses, as well as usage information, such as what pages you visit, time spent on each page, and URLs.

Other data you provide to us. We may collect any other data you choose to provide to us when you interact with us, such as when you send us an email or request technical support. This may include your name, contact details, and any other information you provide when communicating with us.

What do we use this data for?

We use your data to:

  • Facilitate payments from you to Merchants for the use of public transportation services, whether this is a direct card-present transaction where you board the vehicle of transport, or the advance purchase of a Ticket for the relevant transport.
  • Process your payment.
  • Fulfil our contractual obligations to the relevant Merchant.
  • Comply with our legal and regulatory requirements and obligations.
  • Investigate fraud, detect and prevent fraudulent transactions, and conduct secure authentication before verifying your purchase.
  • Market, advertise and promote our services.
  • Store your encrypted Payment Data for use in future transactions, where you elect to do so.
  • Contact and communicate with you in connection with the provision of our services or where you have got in touch with us.
  • Manage your purchases and your user account.
  • Conduct analytics and carry out market research.
  • Perform other business-related purposes, including negotiating, concluding and performing contracts, managing accounts and records, supporting corporate social responsibility activities, legal, regulatory and internal investigations and debt administration.

Legal basis for processing your data

Our legal bases for processing your data under applicable data protection laws are: 

  • Your consent: In certain circumstances (e.g. for direct marketing, advertising and promotional purposes), we may request your consent to process your personal data. In such cases, consent will be collected in accordance with applicable legal requirements. Where we rely on consent as a legal basis to process your personal data you have a right to withdraw consent at any time by contacting us.
  • Contract: the processing is necessary in order for us to fulfil our contract with the Merchant to provide payment processing services. Where we need to collect your personal data in order to fulfil our contract with you and you fail to provide the data where requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the payment processing services to which you have subscribed or are seeking to subscribe.
  • Legal obligation: the processing is necessary for our legal compliance.
  • Legitimate interests: Where processing is necessary for Littlepay’s legitimate interests (to the extent your rights and interests do no override our legitimate interests), which may include one or more of the following:
    • fulfilling and processing your payment in order to provide the service the Merchant has contracted for;
    • running our business;
    • developing our products and services and growing our business;
    • improving our website and keeping it up to date and relevant;
    • analysing how customers purchase and use our products and services and informing our marketing strategy;
    • provision of internal administration and IT services;
    • keeping our records up to date; and
    • securing our network and systems.

Who do we share your data with?

We share your data in the following circumstances:

  • People within our organisation who have a ‘need to know’ that data for business or legal reasons, for example in order to carry out an administrative function.
  • As we operate internationally, we may share your data with any entity within the Littlepay group of companies worldwide.
  • With the relevant Merchant, bank or other financial institution(s), as necessary to provide our payment services. Please note we do not share complete card payment details with our Merchants.
  • With our affiliates, as necessary to provide our services and operate our business.
  • With service providers performing services on our behalf, and our professional and legal advisors, as necessary for the running of our business.
  • With third parties who provide us with fraud prevention and detection and security services.
  • With law enforcement or other governmental authorities, e.g. to report a fraud or in response to a lawful request or to comply with a lawful obligation.
  • With third parties in the event that we sell, buy or merge any business or assets, including to the prospective seller or buyer of such business or assets.
  • Otherwise where we have your consent or are otherwise legally permitted to do so.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Storage and Retention

Littlepay has offices in Delaware, London, and Australia, and is capable of processing payments globally. Consequently, your data may be processed in countries outside of your jurisdiction of residence, including in countries where you may have fewer legal rights in respect of your data than you do under local law. If you are a resident of the European Economic Area (“EEA”) or United Kingdom (“UK”), when we transfer data outside the EEA/UK (as applicable) we will, as required by applicable law, ensure that your privacy rights are adequately protected by: (i)  only transferring your personal data to countries that have been deemed to provide an adequate level or protection for personal data, or (ii) appropriate safeguards, such as the EU’s standard contractual clauses (or such other data transferring clauses or safeguards that may be approved by the relevant data protection supervisory authority from time to time). Please contact us at legal@littlepay.com if you would like more information about these safeguards.

We will keep your data for as long as we need it for the purposes set out above, and so this period will vary depending on your interactions with us. Where we no longer have a need to keep your information, we will delete it. Please note that where you unsubscribe from our marketing communications, we will keep a record of your email address to ensure we do not send you marketing emails in future.

We store Payment Data, including card details and your address for up to 60 minutes following the processing of a payment, in order to verify the transaction. We store your card details, including PAN, payment card type and payment card expiry details (but never CVV2) in an encrypted, tokenised form for seven (7) years after the processing of each payment. At your option, we will make this information available for future transactions, meaning that you will only need to enter your card CVV2.

If, when purchasing a Ticket online you elect for us to store your Payment Data for future transactions (including continuous payment authority agreements you may have with a Merchant), we will store your name, PAN, payment card type and payment card expiry details. This information will be encrypted and stored as an encrypted token. Other Payment Data you may provide to us upon viewing your public transport payment history online, such as billing name and address and payment card CVV2, are not retained once you have been successfully verified. If you choose to set up a continuous payment authority through one of our Merchants, the terms of that continuous payment authority will be those terms agreed between you and the Merchant, including the amount of automatic top up and the balance at which the top up occurs. For details regarding any continuous payment authority you may have agreed, please contact the Merchant from whom you are purchasing a Ticket, or, where applicable, your bank.

Security

We have put in place appropriate security measures to safeguard your data from unauthorised use, access, alteration or disclosure, or accidental loss. In addition, we limit access to your data to those employees, contractors and other third parties who have a business need to know. They will only process your data on our instructions and they are subject to a duty of confidentiality.

In particular, we have implemented the following security measures:

  • We comply with the Payment Card Industry Data Security Standard (PCI DSS) and have Level 1 security certification.
  • All payment card data (PAN, cardholder name, expiry and CVV) is captured using our secure Drop-In UI or through a Merchant’s secure systems and sent to us via API.
  • Each Merchant creates an online checkout, usually via an appointed third party developer, that is secured with our platform through mutual trust authentication mechanisms to ensure that the encrypted payment messages received to our platform are from a legitimate source and party.
  • Payment messages are further encrypted by Littlepay through industry standard cryptographic techniques commonly used in the payments industry, as follows:
    • payment card data is tokenised;
    • each customer dataset is stored separately; and
    • all payment transactions are processed using the tokenised payment card data held in a PCI-DSS secure payment card vault.
  • We do not process any sensitive data (e.g. biometric data, large scale profiling, genetic data or children’s data).

Links to other websites

This Privacy Policy does not cover the links within this website linking to other websites. We encourage you to read the privacy statements on the other websites you visit. Littlepay uses various acquiring banks, one such example being Valitor hf, a bank incorporated under the laws of Iceland, for its acquiring services. Valitor’s privacy policy can be found here: https://www.valitor.com/about-us/privacy-notice/ Other acquiring banks Littlepay may use in the provision of its services are as follows: Global Payments, Elavon.

Your rights and choices

Legal Rights

Depending on your jurisdiction of residence, you may, under certain circumstances have certain rights in respect of your data, including:

  • the right to access your personal data; 
  • the right to request the correction of your personal data;
  • the right to request the erasure of your data;
  • the right to request the restriction of your personal data;
  • the right to withdraw consent to the processing of your personal data; and
  • the right to request the transfer of your personal data

You may also, in certain circumstances, have the right to object to your data being used for certain purposes, including to send you marketing. See ‘Marketing’ below, for more details of how to opt-out of marketing.

We will comply with any requests to exercise your rights in accordance with applicable law. Please be aware, however, that there are a number of limitations to these rights, and there may be circumstances where we are not able to comply with your request. To make any requests regarding your data, or if you have any questions or concerns regarding your data, you should contact us using the details below.

If you are a resident of the EEA or the UK and have a complaint regarding our processing of data, you are entitled to contact your supervisory authority for data protection. However, where possible, we would appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so we ask that you please contact us in the first instance.

If you are a resident of California in the United States, please see our California privacy notice below.

Marketing

Depending on your relationship with us, we may send you marketing from time to time.  Where you are a customer or partner, we may send such marketing communications on the basis of our legitimate interests. If you have no pre-existing relationship with us, we will seek your consent to send you marketing communications. 

If you would no longer like to hear from us, please use the details provided in the marketing communication to unsubscribe or contact us at legal@littlepay.com with the subject line “Unsubscribe.”

Contact Us

If you have any queries on any aspect of our Privacy Policy, please contact our Data Protection Officer by email at legal@littlepay.com or by post to one of our offices.

VeraSafe has been appointed as Littlepay’s representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. If you are in the European Economic Area, VeraSafe can be contacted in addition to Littlepay, only on matters related to the processing of personal data. 

To make such an enquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contactdata-protection-representative or via telephone at: +420 228 881 031. Alternatively, VeraSafe can be contacted at: VeraSafe Ireland Ltd. Unit 3D North Point House North Point Business Park New Mallow Road Cork T23AT2P Ireland.

Changes to this Privacy Policy

We reserve the right to update this Privacy Policy at any time, and we will place any updates here. At the start of this privacy notice, we will tell you when it was last updated. We encourage you to check this page regularly for any changes. By continuing to use the Services, you are confirming that you have read and understood the latest version of this Privacy Policy.

California Privacy Notice

This section provides additional details about the personal information (as that term is defined in the California Consumer Privacy Act (CCPA)) we collect about California consumers, as well as requests California consumers can make regarding their personal information.

Please note that this section applies only to information that Littlepay controls as a “business.” Where Littlepay processes your information on behalf of a Merchant as a “service provider,” you must contact the Merchant to learn more about your rights with respect to your personal information.

How We Collect, Use, and Disclose your Personal Information. The “What data do we collect?” section above describes the categories of personal information we may have collected over the last 12 months. We collect this information for the purposes described in the “What do we use this data for?” section, and we share this information as described in the “Who do we share this personal data with?” section.

Requests About Your Personal Information. California consumers can make the following requests with respect to their personal information:

  • A list of the categories of personal information we have collected about you, as well as the sources of that information, the purposes for which we collected it, and the categories of third parties with whom we share it;
  • The specific pieces of information we have collected about you;
  • Deletion of the personal information we have collected from you (subject to exceptions under applicable law).

Please note that we will need to request information to verify your identity before responding to your request.

Sale of Information. Littlepay does not “sell” (as such term is defined in the CCPA) information about consumers within the meaning of the CCPA in the past 12 months.

Shine the Light. The California “Shine the Light” law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.