Littlepay Privacy Policy

Last updated 12 October 2020


This website is operated by Littlepay Limited and its affiliates (“Littlepay”, “we” or “us”). Please see the cookies section (below) for information about how we use cookies.

Littlepay is committed to protecting the data which we have access to in the course of providing our services. Please take the time to review this Privacy Policy, which explains what personal data we collect, how we use it, and your rights. Littlepay Limited (“Littlepay”, “we” or “us”) is the controller of the data collected via or in connection with the services we offer in the European Economic Area, with the exception of our CNP solution, where we are the processor of the data collected. For residents of California, the United States, Littlepay Inc. controls the data described in the California Privacy Notice below.

What data do we collect and process?

Littlepay provides secure payment processing services to transport operators, enabling them to accept payment from individuals for travel on public transport using payment cards or pre-paid digital tickets ("Tickets"). Below, we describe when we collect your data and what data elements are collected.

Payment Data. If you tap your payment card when boarding public transport to pay one of the transport operators that use our services (a “Merchant”), or you purchase a Ticket online from a Merchant in order to pre-pay for your travel on public transport using our card-not-present ("CNP") solution, we will process your Payment Data on behalf of the Merchant, which may include payment card “PAN” (personal account number), payment card type and payment card expiry details), and, for Tickets purchased online using our CNP solution, cardholder name, billing address, and CVV2. We may also collect Payment Data when you view your public transport payment history online.

Data about you provided by Merchants. We also collect data from our Merchants. This information may include your name, address, contact details, job role and employer details and any other information that you choose to provide us.

Merchant information. If you are a Merchant, we will process your login details for our online Merchant Portal (a PCI-compliant and responsive web portal for Merchants to view individual passenger transactions).

Device Identifiers and Usage Data. When you use our website, we collect certain standard information that is automatically sent by your browser to our website. This includes technical information about your device, such as your IP address, browser type, device identifiers, operating system, language, time zone setting, access times and any referring website addresses, as well as usage information, such as what pages you visit, time spent on each page, and URLs.

Other data you provide to us. We may collect any other data you choose to provide to us when you interact with us, such as when you send us an email or request technical support. This may include your name, contact details, and any other information you provide when communicating with us.

What do we use this data for?

We use your data to:

  • Facilitate payments from you to Merchants for the use of public transportation services, whether this is a direct card-present transaction where you board the vehicle of transport, or the advance purchase of a Ticket for the relevant transport.
  • Process your payment.
  • Fulfil our contractual obligations to the relevant Merchant.
  • Comply with our legal and regulatory requirements and obligations.
  • Investigate fraud, detect and prevent fraudulent transactions, and conduct secure authentication before verifying your purchase.
  • Market, advertise and promote our services.
  • Store your encrypted Payment Data for use in future transactions, where you elect to do so.
  • Contact and communicate with you in connection with the provision of our services or where you have got in touch with us.
  • Manage your purchases and your user account.
  • Conduct analytics and carry out market research.
  • Perform other business-related purposes, including negotiating, concluding and performing contracts, managing accounts and records, supporting corporate social responsibility activities, legal, regulatory and internal investigations and debt administration.

Legal basis for processing your data

Our legal bases for processing your data under applicable data protection laws are:Your consent, in accordance with applicable legal requirements.

  • Contract: the processing is necessary in order for us to fulfil our contract with the Merchant to provide payment processing services.
  • Legal obligation: the processing is necessary for our legal compliance.
  • Legitimate interests: Where processing is necessary for Littlepay’s legitimate interests, which may include one or more of the following:

    • fulfilling and processing your payment in order to provide the service the Merchant has contracted for;
    • running our business;
    • developing our products and services and growing our business;
    • improving our website and keeping it up to date and relevant;
    • analysing how customers purchase and use our products and services and informing our marketing strategy;
    • provision of internal administration and IT services;
    • keeping our records up to date; and
    • securing our network and systems.

Who do we share your data with?

We share your data in the following circumstances:

  • People within our organisation who have a ‘need to know’ that data for business or legal reasons, for example in order to carry out an administrative function.
  • As we operate internationally, we may share your data with any entity within the Littlepay group of companies worldwide.
  • With the relevant Merchant, bank or other financial institution(s), as necessary to provide our payment services. Please note we do not share complete card payment details with our Merchants.
  • With our affiliates, as necessary to provide our services and operate our business.
  • With service providers performing services on our behalf, and our professional and legal advisors, as necessary for the running of our business.
  • With third parties who provide us with fraud prevention and detection and security services.
  • With law enforcement or other governmental authorities, e.g. to report a fraud or in response to a lawful request or to comply with a lawful obligation.
  • With third parties in the event that we sell, buy or merge any business or assets, including to the prospective seller or buyer of such business or assets.
  • Otherwise where we have your consent or are otherwise legally permitted to do so.

Storage and Retention

Littlepay has offices in Delaware, London, and Australia, and is capable of processing payments globally. Consequently, your data may be processed in countries outside of your jurisdiction of residence, including in countries where you may have fewer legal rights in respect of your data than you do under local law. If you are a residence of the European Economic Area (“EEA”), when we transfer data outside the EEA we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate safeguards, such as the EU’s standard contractual clauses. Please contact us at if you would like more information about these safeguards.

We will keep your data for as long as we need it for the purposes set out above, and so this period will vary depending on your interactions with us. Where we no longer have a need to keep your information, we will delete it. Please note that where you unsubscribe from our marketing communications, we will keep a record of your email address to ensure we do not send you marketing emails in future.

We store Payment Data, including card details and your address for up to 60 minutes following the processing of a payment, in order to verify the transaction. We store your card details, including PAN, payment card type and payment card expiry details (but never CVV2) in an encrypted, tokenised form for seven (7) years after the processing of each payment. At your option, we will make this information available for future transactions, meaning that you will only need to enter your card CVV2.

If, when purchasing a Ticket online you elect for us to store your Payment Data for future transactions (including continuous payment authority agreements you may have with a Merchant), we will store your name, PAN, payment card type and payment card expiry details. This information will be encrypted and stored as an encrypted token. Other Payment Data you may provide to us upon viewing your public transport payment history online, such as billing name and address and payment card CVV2, are not retained once you have been successfully verified. If you choose to set up a continuous payment authority through one of our Merchants, the terms of that continuous payment authority will be those terms agreed between you and the Merchant, including the amount of automatic top up and the balance at which the top up occurs. For details regarding any continuous payment authority you may have agreed, please contact the Merchant from whom you are purchasing a Ticket, or, where applicable, your bank.


We have put in place appropriate security measures to safeguard your data from unauthorised use, access, alteration or disclosure, or accidental loss. In addition, we limit access to your data to those employees, contractors and other third parties who have a business need to know. They will only process your data on our instructions and they are subject to a duty of confidentiality.

In particular, we have implemented the following security measures:

  • We comply with the Payment Card Industry Data Security Standard (PCI DSS) and have Level 1 security certification.
  • All payment card data (PAN, cardholder name, expiry and CVV) is captured using our secure Drop-In UI or through a Merchant’s secure systems and sent to us via API.
  • Each Merchant creates an online checkout, usually via an appointed third party developer, that is secured with our platform through mutual trust authentication mechanisms to ensure that the encrypted payment messages received to our platform are from a legitimate source and party.
  • Payment messages are further encrypted by Littlepay through industry standard cryptographic techniques commonly used in the payments industry, as follows:
    • payment card data is tokenised;
    • each customer dataset is stored separately; and
    • all payment transactions are processed using the tokenised payment card data held in a PCI-DSS secure payment card vault.
  • We do not process any sensitive data (e.g. biometric data, large scale profiling, genetic data or children’s data).


Our website uses cookies and similar technologies to provide certain functionality to the website and to understand and measure its performance. A cookie is a small text file that is stored on, and during subsequent visits retrieved from, your computer, tablet, mobile phone or similar devices when you visit our website. Cookies allow us to distinguish you from other users of our website and to remember, for example, your preferences when visiting the site so that we can provide you with a better user experience.

Some of the cookies we use are necessary for our website to operate whilst other cookies are used to provide tailored advertising by trusted third parties. To find out more about cookies, visit or

There are two categories of cookies: persistent cookies and session cookies. The persistent cookies are stored on your device for a longer period of time after your browser has been closed and are used, for example, to log the choices you made during earlier visits. Session cookies are stored temporarily in your browser, for example, to remember what language you selected. These are erased automatically after your browser is closed.

There are also third party cookies, meaning that the cookies do not originate from us, but from someone else. Third party cookies are often used for web statistics. Littlepay currently uses the following third party cookies: Google Analytics, Matomo and Auth0.

The different types of cookies we use

Littlepay uses the following categories of cookies on our website:

Strictly Necessary cookies - These cookies are essential for certain features of our website to work, for example profile information of a current logged-in user and access to the Merchant Portal. These cookies, for example, allow users to remain logged in.

Analytical or Performance cookies - These cookies are used to collect anonymous information about traffic to our website. These cookies do not collect data. In some cases we use trusted third parties to set cookies and collect information about browsing activity for us, which may include recording your use of our website.

We may also collect information about the device you use to access our website.

Functionality cookies - These cookies are used to recognise you when you return to our site. This enables us to remember your preferences.

Withdrawing your consent and managing cookies - If you'd prefer to restrict, block or delete cookies from Littlepay or any other website, you can use your browser to do this. Each browser is different, so check the 'Help' menu of your particular browser to learn how to change your cookie preferences. If you choose to disable all cookies we cannot guarantee the performance of our website and some features may not work as expected or at all.

Links to other websites

This Privacy Policy does not cover the links within this website linking to other websites. We encourage you to read the privacy statements on the other websites you visit. Littlepay uses various acquiring banks, one such example being Valitor hf, a bank incorporated under the laws of Iceland, for its acquiring services. Valitor’s privacy policy can be found here: Other acquiring banks Littlepay may use in the provision of its services are as follows: Global Payments, Elavon.

Your rights and choices

Legal Rights

Depending on your jurisdiction of residence, you may have certain rights in respect of your data, including the right to access, correct, and request the erasure of your data.

You may also have the right to object to your data being used for certain purposes, including to send you marketing. See ‘Marketing’ below, for more details of how to opt-out of marketing.

We will comply with any requests to exercise your rights in accordance with applicable law. Please be aware, however, that there are a number of limitations to these rights, and there may be circumstances where we are not able to comply with your request. To make any requests regarding your data, or if you have any questions or concerns regarding your data, you should contact us using the details below.

If you are a resident of the EEA and have a complaint regarding our processing of data, you are entitled to contact your supervisory authority for data protection. However, where possible, we would appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so we ask that you please contact us in the first instance.

If you are a resident of California in the United States, please see our California privacy notice below.


Depending on your relationship with us, we may send you marketing from time to time. If you would no longer like to hear from us, please use the details provided in the marketing communication to unsubscribe or contact us at with the subject line “Unsubscribe.”

Contact Us

If you have any queries on any aspect of our Privacy Policy, please contact our Data Protection Officer by email at or by post to one of our offices.

Changes to this Privacy Policy

We reserve the right to update this Privacy Policy at any time, and we will place any updates here. At the start of this privacy notice, we will tell you when it was last updated. We encourage you to check this page regularly for any changes. By continuing to use the Services, you are confirming that you have read and understood the latest version of this Privacy Policy.

California Privacy Notice

This section provides additional details about the personal information (as that term is defined in the California Consumer Privacy Act (CCPA)) we collect about California consumers, as well as requests California consumers can make regarding their personal information.

Please note that this section applies only to information that Littlepay controls as a “business.” Where Littlepay processes your information on behalf of a Merchant as a “service provider,” you must contact the Merchant to learn more about your rights with respect to your personal information.

How We Collect, Use, and Disclose your Personal Information. The “What data do we collect?” section above describes the categories of personal information we may have collected over the last 12 months. We collect this information for the purposes described in the “What do we use this data for?” section, and we share this information as described in the “Who do we share this personal data with?” section.

Requests About Your Personal Information. California consumers can make the following requests with respect to their personal information:

  • A list of the categories of personal information we have collected about you, as well as the sources of that information, the purposes for which we collected it, and the categories of third parties with whom we share it;
  • The specific pieces of information we have collected about you;
  • Deletion of the personal information we have collected from you (subject to exceptions under applicable law).

Please note that we will need to request information to verify your identity before responding to your request.

Sale of Information. Littlepay does not “sell” (as such term is defined in the CCPA) information about consumers within the meaning of the CCPA in the past 12 months.

Shine the Light. The California “Shine the Light” law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.