What personal data do we collect and process?
Littlepay provides payment processing services to transport operators, enabling them to accept payment from individuals for travel on public transport using payment cards.
We collect and process personal data primarily when individuals use our payment merchant services. If you make a payment to one of the transport operators that use our services (a “Merchant”), we will process certain information relating to that transaction, including specific details of the transaction and your payment card details (“Payment Data”).
Payment Data of individuals is captured by us in the following two instances: (i) when you tap your payment card to pay a Merchant upon boarding public transport (at which point we collect the following information: payment card “PAN” (personal account number), payment card type and payment card expiry details); and (ii) when you view your public transport payment history online (at which point we collect: PAN, payment card type, payment card expiry details, payment card CVV2 and billing name and address). When retained by us, your PAN is encrypted. Other details you may provide to us upon viewing your public transport payment history online, such as billing name and address and payment card CVV2, are not retained once you have been successfully verified.
We also collect personal data from our Merchants, and from users of our website (for example, if you submit a query via our website). If you are a Merchant, we will process your login details for our online Merchant Portal (a PCI-compliant and responsive web portal for Merchants to view individual passenger transactions).
What do we use this personal data for?
We use Payment Data to process the payment, fulfil our contractual obligations to the relevant Merchant, and comply with our legal and regulatory requirements. Where necessary, we may also use Payment Data to investigate fraud and prevent fraudulent transactions.
Our legal basis for processing Payment Data, under UK data protection law, is that it is in the Merchants’ and Littlepay’s legitimate interests to fulfil and process your payment in order to provide the service the Merchant has been contracted for.
Littlepay complies with the Payment Card Industry Data Security Standard (PCI DSS) and has Level 1 security certification.
We use personal data relating to our Merchants and website users to maintain our commercial relationships, respond to queries, and promote our services. We do so where we have your consent, or where it is in our legitimate interests to provide and promote our services.
Littlepay will not share your personal data with third parties, except for the purposes of carrying out payment merchant services for payment on public transport or as may be required by regulatory bodies or law.
Depending on your relationship with us, we may send you marketing from time to time. If you would no longer like to hear from us, please use the details provided in the marketing communication or contact us at the details below.
Who do we share this personal data with?
We share personal data with third parties in the following circumstances:
- With the relevant Merchant, bank or other financial institution(s), as necessary to provide our payment services. Please note we do not share complete card payment details with our Merchants.
- With our affiliates, as necessary to provide our services and operate our business.
- With service providers working for us, and our professional and legal advisors.
- With third parties engaged in fraud prevention and detection.
- With law enforcement or other governmental authorities, e.g. to report a fraud or in response to a lawful request.
- Otherwise where we have your consent or are otherwise legally permitted to do so.
Storage and Retention
Littlepay has offices in London and Australia, and is capable of processing payments globally. Consequently, your personal data may be processed in countries outside of Europe, including in countries where you may have fewer legal rights in respect of your data than you do under local law. If we transfer personal data outside the European Economic Area we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate safeguards, in particular the EU’s standard contractual clauses. Please contact us if you would like more information about these safeguards.
We will keep your personal data for as long as we need it for the purposes set out above, and so this period will vary depending on your interactions with us. Where we no longer have a need to keep your information, we will delete it. Please note that where you unsubscribe from our marketing communications, we will keep a record of your email address to ensure we do not send you marketing emails in future.
The different types of cookies we use
Littlepay uses the following categories of cookies on our website:
Performance - These cookies are used to collect anonymous information of traffic to our website. These cookies do not record personally identifiable information and we do not need your consent to place these cookies on your device.
Strictly Necessary - These cookies are essential for certain features of our website to work, for example profile information of the current logged-in user and access to the Merchant Portal. It allows users to remain logged in.
In some cases we use trusted third parties to collect this information for us which may include recording your use of our website, but they only use the information for the purposes explained herein.
By using our website, you agree that we can place these types of cookies on your device. We may also collect information about the device you use to access our website.
Without these cookies some services you have asked for cannot be provided.
Managing cookies - If you'd prefer to restrict, block or delete cookies from Littlepay or any other website, you can use your browser to do this. Each browser is different, so check the 'Help' menu of your particular browser to learn how to change your cookie preferences. If you choose to disable all cookies we cannot guarantee the performance of our website and some features may not work as expected.
You have certain rights in respect of your personal data, including the right to access, correct, and request the erasure of your personal data.
You also have the right to object to your personal data being used for certain purposes, including to send you marketing. See ‘Marketing’ above, for more details of how to opt-out of marketing.
We will comply with any requests to exercise your rights in accordance with applicable law. Please be aware, however, that there are a number of limitations to these rights, and there may be circumstances where we are not able to comply with your request. To make any requests regarding your personal data, or if you have any questions or concerns regarding your personal data, you should contact us using the details below. You are also entitled to contact the UK’s supervisory authority for data protection, the Information Commissioner’s Office.
To view our Employee Privacy Notice, please click here.
Changes to this privacy notice
We will keep this privacy notice under regular review and we will place any updates here. At the start of this privacy notice, we will tell you when it was last updated.
Last updated 22 May 2018
ICO registration number: ZA451546