Updated January 2022
This privacy notice tells you what to expect when Heathrow Express Ltd (a subsidiary of Heathrow Airport Ltd) collects personal information from you via our websites, our mobile app, ticket transactions, station surveillance cameras, customer relations team, and on-board Wi-Fi service. Heathrow Express is committed to protecting your personal information when you use Heathrow Express services. Whenever you provide such information we are legally obliged to use your information in line with all applicable laws concerning the protection of personal data including the General Data Protection Regulation (GDPR).
What information will we collect about you?
Heathrow Express collects information about how you use the Heathrow Express service via our website, and the device(s) you use to access the Heathrow Express services. This includes collecting unique online identifiers such as IP addresses, which are numbers that uniquely identify a specific computer or other network device on the internet. For more information, see our section on ‘cookies’ below.
Where do we get your information about you?
Heathrow Express collects data from several sources:
• Mobile Application
• On-board WiFi
• If you contact our Customer Relations Team
• Surveillance Camera Systems (on our trains)
What personal Information do we ask from you:
• Email address
• Mobile number
• Date of travel
• Rail travel discount entitlement
• Payment details* (including billing address)
• Cookie data
• IP addresses
• Heathrow Rewards number
* Whilst we request your payment details in order to buy one of our tickets we DO NOT store these details on our systems as all payments and transactions are completed by our 3rd Payment Service Provider called Secure Trading on their PCI compliant systems.
How will Heathrow Express use your information?
We will use your personal data for a number of purposes including the following:
|Use of data||Justification type||Justification Explanation|
|Use of data||Justification type||Justification Explanation|
|To provide a train service, and to provide you with information about them and to deal with your requests and enquiries related to the train service.||Contract||Where you buy a ticket from us the lawful justification for collecting and using your personal data is that it is necessary for the performance of the Heathrow Express train services which you contractually enter into. When purchasing a ticket for travel, failure to provide mandatory data fields denoted by a ‘*’ will mean that we will not be able to complete your order and deliver the Heathrow Express service to you. We will be unable to form a contract with you and provide service information that may impact on your Heathrow Express travel including but not limited to: delays, adverse weather conditions, engineering works, timetable changes, tickets and ticketing systems, refunds, manage your requests and enquires through customer relations, to book and make payments for tickets, create and confirm customer or business or corporate accounts.|
|To provide you with a Website, App, Customer Relations team and onboard Wi-Fi services||Legitimate Interest||Where you register on our website, app, call customer relations, or use our onboard WiFi, you supply your data to us and we retain this through legitimate interest and will contact you under this basis. An explanation of this is explained further down this document.|
|To send you marketing communications about Heathrow products and services as well as information, including products and services offered by our trusted third parties||Legitimate Interest||You supply us your details for marketing purposes,. These marketing communications are about product and services, news and offers delivered by Heathrow Express Ltd or by the Heathrow Airport Group of companies. You can easily unsubscribe at any point.|
Methods of direct communication may include email, SMS, call, push notification or post.
|We may also match the data we collect with other data that we hold about you if you have used Heathrow products and services before.||Legitimate Interest||We have a legitimate business interest for your personal data to be used for this specific purpose. We may also match the data we collect with other data that we hold about you if you have used Heathrow products and services before. We do this to build up a picture of your personal preferences and understand how you use Heathrow products and services. This enables us to deliver a richer customer experience and ensures we only send relevant communications to you.|
|For applying for roles within Heathrow Express||Legitimate Interest||When you apply for a role within Heathrow Express we will store your details in order to process and track your application. We will also store your details and share with you new and exciting vacant roles.|
• Please see separate heading below on how/why we use our Surveillance Camera Systems.
What do we do with the information you give us and who do we share it with?
In order to deliver Heathrow Express services to you we share your data with our 3rd party partners as detailed below:
Where your information is provided to third parties they will only use your information for those purposes listed within this document. In some minimal instances, this may require your information to be transferred overseas, but we will make sure your information remains protected and secure and in line with your rights.
We will not transfer or disclose your personal information, other than as identified in this Privacy Notice, to our trusted third party suppliers, to the police, tribunals, courts, regulators, or other authorities to assist them with their investigations or requests or for us to report security incidents or suspected or actual unlawful acts and/or as may be otherwise required by law.
All the companies we use to provide a great service to you are governed by our data retention policies as detailed in this information.
Heathrow Airport Ltd
We will share your information with Heathrow Airport Ltd (also known as HAL), our parent company, so that they have a better understanding of all your interactions with ‘Heathrow’ and so can deliver more holistic and tailored customer engagements and understand how you use Heathrow products and services. This enables us to deliver a richer customer experience and ensures we only send relevant communications to you (where allowed).
For more information please see https://www.heathrow.com/more/help-with-this-website/privacy-notice
Acxiom supports Heathrow Express in adding extra lifestyle and demographic insight information which we then use to make our marketing to you more relevant, (subject to your communication preferences and our internal policies and procedures). Acxiom acts as our data processor of the data we send them. We require them to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We shall ensure a written agreement is in place with them and regularly monitor their activities to ensure they are complying with our policies and procedures. For more information on Acxiom and the data it provides please visit https://www.acxiom.co.uk/about-acxiom/privacy/uk-privacy-policy/
Adobe Analytics (Adobe Systems Software Ireland Limited)
Adobe Systems Software Ireland Limited provide the method for delivering tickets to you either by email or mobile. We require them to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We shall ensure a written agreement is in place with them and regularly monitor their activities to ensure they are complying with our policies and procedures. For more information on Adobe Analytics and the support it provides please visit https://www.adobe.com/uk/privacy.html
Secure Trading are responsible for delivering our payment services in a secure PCI certified environment. We require them to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We shall ensure a written agreement is in place with them and regularly monitor their activities to ensure they are complying with our policies and procedures. For more information on Secure Trading and the support it provides please visit http://www.securetrading.com/privacy/
Salesforce provide customer support functionality on our behalf. We require them to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We shall ensure a written agreement is in place with them and regularly monitor their activities to ensure they are complying with our policies and procedures. For more information on Salesforce and the support it provides please visit https://www.salesforce.com/uk/company/privacy/
Nomad provide our customers with the onboard WiFi service. We require them to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We shall ensure a written agreement is in place with them and regularly monitor their activities to ensure they are complying with our policies and procedures. For more information on Nomad Digital and the support it provides please visit http://nomad-digital.com/privacy-policy/
Twilio aka SendGrid
Twilio provide an email solution to ensure you get your tickets efficiently. We require them to comply strictly with our instructions and data protection laws and we will make sure that appropriate controls are in place. We shall ensure a written agreement is in place with them and regularly monitor their activities to ensure they are complying with our policies and procedures. For more information on Twilio and the support it provides please visit https://sendgrid.com/policies/privacy/services-privacy-policy/
How long will we keep your information for?
Where you have opted ’IN’ to our marketing communications
We will retain your data for a period of 2 years after your last interaction with us (such as clicking on an email we send you) at which point it will be anonymised.
Where you have downloaded our app or registered on our website.
We will retain your data for a period of 2 years after your last interaction with us at which point your data will be anonymised.
Where you contact our customer service team
We will keep a record of your request for a period of 3 years after which time it will be anonymised. The extra justification for this is to support you and other customers and provide the best service and experience we can. We retain your personal information through our legitimate interest. If you object to this you can request your data is erased here.
Where you purchase a ticket from us
We will retain your purchase data (excluding payment details) for 7 years. We are lawfully obliged to keep this information for accounting and reporting responsibilities. After this time, your transaction will be anonymised.
Where you have used our free on-train WiFi
We will retain your data for a period of 2 years after your last interaction with us at which point your data will be anonymised.
Your information will always be retained in a secure environment and access to it will be restricted according to the 'need to know' principle. With all the above, where we have backups of this data these will be overwritten in due course.
How to opt out of marketing information
Whilst we love providing you with regular up to date information about our news, services and competitions, we appreciate that sometimes you no longer wish to receive them. To do this please either log onto the application/website and change your communication preferences or alternatively you could contact us here.
We use legitimate interest as the lawful basis for storing your data but will always get your permission to send you marketing information and you can change this at any point.
Unless you tell us otherwise we will retain your data for a period of 2 years after your last interaction with us (such as clicking on an email we send you) at which point it will be anonymised.
Where you tell us that you no longer wish to receive marketing messages about Heathrow Express and other HAL Group products and services we will record your decision about your preference until you tell us otherwise and opt-in again.
Please allow 24 hours for your preference to be updated on our systems.
What is legitimate interest?
Legitimate interest is where we have considered what data we collect about you and we have balanced this against your individual rights and how intrusive it is on your privacy. We review this decision at regular intervals and always with our customers as our focus.
Please see the ICO website for more information here.
Train station and onboard surveillance camera system:
What we collect
• Facial images
• Movement data
What we do with it
We record and retain this information for the safety and security of our passengers and for improving our service to our customers. We may share this data with the Police and other law enforcement agencies. Viewing is strictly controlled and recording equipment shall only be operated by authorised and trained users for the purpose of fulfilling its role.
What justification we use and how long so we keep it
The justification for the retention of this data is for the safety and security of our passengers and staff and for the prevention and detection of crime and aviation security.
This data is stored on a secure system for a period of 30 days before being deleted. Where data is downloaded a record is kept of this download and the purpose.
What rights do I have over my personal data?
Under the General Data Protection Regulation, you have the right to:
• Access your personal data by making a subject access request
• Rectification, erasure or restriction of your information where this is justified
• Object to the processing of your information
• Data portability
To exercise any of these rights please contact the Heathrow Express Data Protection Office either by post:
Data Protection Officer
Heathrow Express Operating Company Limited
The Compass Centre
Or Email firstname.lastname@example.org
Should you request erasure of your Heathrow Express records, once we have completed this we will keep a record of your request and date on file. All other personal data relating to your records will be anonymised.
A new era has begun for the UK and EU now that the Brexit transition period is over. From time to time we may process personal data from EU residents. Whenever applicable, we have appointed an EU Representative to ensure that we continuously process your personal data in compliance with applicable laws and without undermining your statutory rights. You can contact our EU Representative at HeathrowEURepresentative@eversheds-sutherland.com and write EU Representative as subject matter. You may also contact our EU Representative per post mail at:
Eversheds Sutherland Netherlands B.V.
Attn. EU Representative Heathrow Airport
Fascinatio Boulevard 212
3065 WB Rotterdam
Complaints and Queries
Heathrow Express tries to meet the highest standards when collecting and using your personal information. For this reason, we take any complaints we receive about this seriously. We encourage people to bring it to our attention if they think our collection or use of personal information is unfair, misleading or inappropriate. Contact our customer service team here
If you find our response unsatisfactory, you have the right to lodge a complaint with the supervisory authority – the Independent Commissioner’s Office (ICO). You can find more information on the ICO website at https://ico.org.uk/concerns/ regarding the complaints process.
Privacy & Cookies
The different types of cookies we use
Heathrow Express use the following categories of cookies on our websites:
Strictly necessary – These cookies are essential for certain features of our websites to work for example when you make payments for train travel. These cookies do not record identifiable personal information and we do not need your consent to place these cookies on your device. Without these cookies some services you have asked for cannot be provided.
Performance – These cookies are used to collect anonymous information about how you use our websites. This information is used to help us improve our websites and understand how effective our adverts are. In some case we use trusted third parties to collect this information for us but they only use the information for the purposes explained. By using our websites, you agree that we can place these types of cookies on your device.
Functionality - These cookies are used to provide services or remember settings to enhance your visit for example text size or other preferences. The information these cookies collect is anonymous and does not enable us to track your browsing activity on other websites. By using our websites, you agree that we can place these types of cookies on your device.
Targeting and Advertising – These cookies are used by trusted third parties to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. Information contained in these cookies is anonymous and doesn't contain your personal information. To find out more about cookies used for targeting and advertising follow www.youronlinechoices.com and www.networkadvertising.orgor contact us at email@example.com for further information about the trusted third parties we use.
Notwithstanding any other provision, we may also engage a third-party partner for the purpose of recognizing users and delivering to them interest-based content and advertisements. We may share information about you with our partners such as your name, postal address, email, device ID, or other identifier in encrypted, hashed or de-identified form. Our partners also may collect information from you, such as your IP address and information about your browser or operating system; may combine our personal and non-personal offline information about you with information from other partners in data sharing cooperatives in which we participate; and may place or recognize a unique cookie on your browser. These cookies contain no personally identifiable information; they may contain demographic or other data in de-identified form.
If you'd prefer to restrict, block or delete cookies from Heathrow Express and our third-party advertisers, or any other website, you can use your browser to do this. Each browser is different, so check the 'Help' menu of your particular browser to learn how to change your cookie preferences. If you choose to disable all cookies we cannot guarantee the performance of our websites and some features may not work as expected.
Changes to this privacy notice
We will keep this privacy notice under regular review and we will place any updates here. At the start of this privacy notice we will tell you when it was last updated.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.