Last updated 17 April 2020
What personal data do we collect and process?
Littlepay provides secure payment processing services to transport operators, enabling them to accept payment from individuals for travel on public transport using payment cards or pre-paid digital tickets ("Tickets").
We collect and process personal data primarily when individuals use our payment processing services. If you make a payment to one of the transport operators that use our services (a “Merchant”), or you purchase a Ticket online from a Merchant in order to pre-pay for your travel on public transport using our card-not-present ("CNP") solution, we will process certain information in order to complete that transaction, including specific details of the transaction and your payment card details (“Payment Data”). Payment Data may be collected by us directly, or may be collected by the Merchant and passed to us for processing.
Payment Data of individuals is captured by us in the following instances:
(i) when you tap your payment card to pay a Merchant upon boarding public transport (at which point we collect the following information: payment card “PAN” (personal account number), payment card type and payment card expiry details); and
(ii) when you purchase a Ticket online using our CNP solution (at which point we collect: cardholder name, billing address, PAN, payment card type, payment card expiry details, CVV2, IP address and data relating to your device and browser); and
(iii) when you view your public transport payment history online (at which point we collect: PAN, payment card type, payment card expiry details, payment card CVV2 and billing name and address).
If, when purchasing a Ticket online you elect for us to store your Payment Data for future transactions, we will store your PAN, payment card type and payment card expiry details.This information will be encrypted and stored as an encrypted token. In all other instances, when retained by us, your PAN is encrypted. Other Payment Data you may provide to us upon viewing your public transport payment history online, such as billing name and address and payment card CVV2, are not retained once you have been successfully verified.
We also collect personal data from our Merchants, and from users of our website (for example, if you submit a query via our website) and individuals who contact us via other means. This information may include your name, address, contact details, job role and employer details and any other information that you choose to provide us. If you are a Merchant, we will process your login details for our online Merchant Portal (a PCI-compliant and responsive web portal for Merchants to view individual passenger transactions).
When you use our website, we collect certain standard information that is sent by your browser to our website. This includes technical information, such as your IP address, browser type, device identifiers, operating system, language, time zone setting, access times and any referring website addresses.
What do we use this personal data for?
We use your personal data to facilitate payments from you to Merchants for the use of public transportation services, whether this is a direct card-present transaction where you board the vehicle of transport, or the advance purchase of a Ticket for the relevant transport.
We use Payment Data to process the payment, fulfil our contractual obligations to the relevant Merchant, and comply with our legal and regulatory requirements. Where necessary, we may also use Payment Data to: (i) investigate fraud; (ii) detect and and prevent fraudulent transactions; and (iii) conduct secure authentication before verifying your purchase.
We use personal data relating to our Merchants and website users to maintain our commercial relationships, respond to queries, and promote our services.
We also use personal data for the following purposes and any other purposes stated at the point of collecting your personal data:
- in order to store your encrypted Payment Data for use in future transactions, where you elect to do so;
- to contact and communicate with you in connection with the provision of our services or where you have got in touch with us;
- to manage your purchases and your user account;
- in order to conduct analytics and carry out market research;
- in order to fulfil our legal obligations; and
- for other business-related purposes, including negotiating, concluding and performing contracts, managing accounts and records, supporting corporate social responsibility activities, legal, regulatory and internal investigations and debt administration.
Legal basis for processing your personal data
Our legal bases for processing your personal data under applicable data protection laws are;
- Your consent.
- Contract: the processing is necessary in order for us to fulfil our contract with you to provide payment processing services.
- Legal obligation: the processing is necessary for our legal compliance.
- Legitimate interests, and the processing is necessary for Littlepay’s legitimate interests, which may include one or more of the following:
- fulfilling and processing your payment in order to provide the service the Merchant has contracted for;
- running our business;
- developing our products and services and growing our business;
- improving our website and keeping it up to date and relevant;
- analysing how customers purchase and use our products and services and informing our marketing strategy;
- provision of internal administration and IT services;
- keeping our records up to date; and
- securing our network and systems.
Depending on your relationship with us, we may send you marketing from time to time. If you would no longer like to hear from us, please use the details provided in the marketing communication to unsubscribe or contact us at the details below.
Who do we share this personal data with?
We share personal data with third parties in the following circumstances:
- People within our organisation who have a ‘need to know’ that data for business or legal reasons, for example in order to carry out an administrative function.
- As we operate internationally, we may share your personal data with any entity within the Littlepay group worldwide.
- With the relevant Merchant, bank or other financial institution(s), as necessary to provide our payment services. Please note we do not share complete card payment details with our Merchants.
- With our affiliates, as necessary to provide our services and operate our business.
- With service providers working for us, and our professional and legal advisors, as necessary for the running of our business..
- With third parties who provide us with fraud prevention and detection and security services.
- With law enforcement or other governmental authorities, e.g. to report a fraud or in response to a lawful request or to comply with a lawful obligation.
- With third parties in the event that we sell, buy or merge any business or assets, including to the prospective seller or buyer of such business or assets.
- Otherwise where we have your consent or are otherwise legally permitted to do so.
Storage and Retention
Littlepay has offices in London and Australia, and is capable of processing payments globally. Consequently, your personal data may be processed in countries outside of Europe, including in countries where you may have fewer legal rights in respect of your data than you do under local law. If we transfer personal data outside the European Economic Area we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate safeguards, in particular the EU’s standard contractual clauses. Please contact us at email@example.com if you would like more information about these safeguards.
We will keep your personal data for as long as we need it for the purposes set out above, and so this period will vary depending on your interactions with us. Where we no longer have a need to keep your information, we will delete it. Please note that where you unsubscribe from our marketing communications, we will keep a record of your email address to ensure we do not send you marketing emails in future.
We store Payment Data, including card details and your name and address for up to 60 minutes following the processing of a payment, in order to verify the transaction. We store your card details, including PAN, payment card type and payment card expiry details (but never CVV2) in an encrypted, tokenised form for seven (7) years after the processing of each payment. At your option, we will make this information available for future transactions, meaning that you will only need to enter your card CVV2.
We have put in place appropriate security measures to prevent your personal data from being used or accessed in an unauthorised way, altered or disclosed, or accidentally lost. In addition, we limit access to your personal data to those employees, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
In particular, we have implemented the following security measures:
- We comply with the Payment Card Industry Data Security Standard (PCI DSS) and have Level 1 security certification.
- All payment card data (PAN, cardholder name, expiry and CVV) is captured using our secure Drop-In IU or through a Merchant’s secure systems and sent to us via API.
- Each Merchant creates an online checkout, usually via an appointed third party developer, that is secured with our platform through mutual trust authentication mechanisms to ensure that the encrypted payment messages received to our platform are from a legitimate source and party.
- Payment messages are further encrypted by Littlepay through industry standard cryptographic techniques commonly used in the payments industry, as follows:
- payment card data is tokenised;
- each customer dataset is stored separately; and
- all payment transactions are processed using the tokenised payment card data held in a PCI-DSS secure payment card vault.
- We do not process any sensitive personal data (e.g. biometric data, large scale profiling, genetic data or children’s data).
Some of the cookies we use are necessary for our website to operate whilst other cookies are used to provide tailored advertising by trusted third parties. To find out more about cookies, visit www.allaboutcookies.org or www.youronlinechoices.eu
There are two categories of cookies: persistent cookies and session cookies. The persistent cookies are stored on your device for a longer period of time after your browser has been closed and are used, for example, to log the choices you made during earlier visits. Session cookies are stored temporarily in your browser, for example, to remember what language you selected. These are erased automatically after your browser is closed.
There are also third party cookies, meaning that the cookies do not originate from us, but from someone else. Third party cookies are often used for web statistics, such as Google Analytics.
The different types of cookies we use
Littlepay uses the following categories of cookies on our website:
Strictly Necessary cookies - These cookies are essential for certain features of our website to work, for example profile information of a current logged-in user and access to the Merchant Portal. These cookies, for example, allow users to remain logged in.
Analytical or Performance cookies - These cookies are used to collect anonymous information about traffic to our website. These cookies do not collect personal data. In some cases we use trusted third parties to set cookies and collect information about browsing activity for us, which may include recording your use of our website.
We may also collect information about the device you use to access our website.
Functionality cookies - These cookies are used to recognise you when you return to our site. This enables us to remember your preferences.
Withdrawing your consent and managing cookies - If you'd prefer to restrict, block or delete cookies from Littlepay or any other website, you can use your browser to do this. Each browser is different, so check the 'Help' menu of your particular browser to learn how to change your cookie preferences. If you choose to disable all cookies we cannot guarantee the performance of our website and some features may not work as expected or at all.
You have certain rights in respect of your personal data, including the right to access, correct, and request the erasure of your personal data.
You also have the right to object to your personal data being used for certain purposes, including to send you marketing. See ‘Marketing’ above, for more details of how to opt-out of marketing.
We will comply with any requests to exercise your rights in accordance with applicable law. Please be aware, however, that there are a number of limitations to these rights, and there may be circumstances where we are not able to comply with your request. To make any requests regarding your personal data, or if you have any questions or concerns regarding your personal data, you should contact us using the details below.
If you have a complaint regarding our processing of personal data, you are entitled to contact the UK’s supervisory authority for data protection, the Information Commissioner’s Office. However, where possible, we would appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so we ask that you please contact us in the first instance.
To view our Employee Privacy Notice, please click here.