Privacy and cookies | Great Western Railway

Last updated: 3 March 2023

At a glance this is what you need to know

We always recommend that our customers read this privacy policy in full. It explains who we are, how and why we collect personal data from you, how and why it will be processed by us and our commitment to protecting your data.

But just in case you’re on the move or do not have time to read it in full we have summarised the key points for you in our 'speed read' section below.

Great Western Railway (GWR, we, our or us) is a trading name of First Greater Western Limited. We are registered as a data controller with the Information Commissioner's Office and our registration number is Z9382315.

We have appointed a Data Protection Officer. They are responsible for our approach to data protection and protecting your privacy. You can contact them at GWR.DPO@firstgroup.co.uk.
We process (i.e. handle) your personal data to provide our services to you. Under data protection laws, we are only permitted to process your personal data where we have a legal basis for doing so. We will only ever process your personal data in compliance with applicable law.
We may share your personal data with our third-party suppliers, including payment processors and data analysts, to enable the efficient and secure provision of services to you. Except as explained in this privacy policy, we will not share your data with third parties without your consent unless required to do so by law.
We will keep your personal data for as long as we need it. How long we need your personal data depends on what we are using it for, whether that is to provide services to you, for our own legitimate interests (described below) or so that we can comply with the law. We will actively review the information we hold and when there is no longer a customer, legal or business need for us to hold it, we will either delete it securely or in some cases anonymise it.
We may transfer your personal data to a recipient located outside of the United Kingdom (UK). If we do this, we will ensure that the transfer mechanism provides an adequate level of protection, which has been recognised by the United Kingdom.
You have important rights under laws aimed at protecting your personal data. This policy sets out your rights and how you can exercise them. For more information, read section 12. You also have the right to make a complaint to the Information Commissioner's Office if you are unhappy with how we have handled your personal data. For more information read section 13.

1. About Great Western Railway

This section sets out who we are. It provides some useful information about us including our company number, registered address and data controller registration number (provided by the information commissioner’s office).

2. About this privacy policy

This section tells you when this privacy policy applies (e.g. When you use our website or communicate with us). It also lets you know how and when we will communicate updates of this privacy policy to you.

3. What personal data do we collect about you?

This section informs you of exactly what personal data we collect about you and why. This includes information that is provided to us directly by you as well as information that we gather from your visits to our website and information that we receive from other sources.

4. How is your personal data collected?

This section explains to you the different ways in which we will collect the personal data that you provide to us.

5. Purposes for which we will use your personal data

This section explains the purposes for which we will use your personal data we hold. We also set out what we consider to be the legal basis for processing your personal data for each purpose, this is to ensure that you have all the information that we are required to provide you by law.

6. Communications

This section explains how we will ensure that you only receive communications that you wish to receive. We will ensure that you have total control over the information that you receive.

7. Who will have access to your personal data?

This section explains which of our employees will have access to your personal data. It also explains the reason for our employees accessing your personal data.

8. Who else might we share your personal data with?

This section informs you of who we share your personal data with. It also explains the reason for sharing; this is largely so that we can provide our services to you.

9. How do we protect your personal data?

This section explains how we keep your personal data safe and where it will be held. It also explains how we may process your personal data outside of the United Kingdom, but that we will only do so using recognised mechanisms which offer an adequate level of protection.

10. How long do we keep your personal data?

This section explains the length of time that we will retain your personal data. It also explains why we would hold your personal data for such time periods.

11. What are your rights?

This section explains that you have rights in relation to your personal data. It also explains what these rights are and how you can go about exercising them.

12.Cookies

This section explains that our website uses cookies and where you can find further information about the cookies used.

13. Who can you ask for more information?

This section provides you with contact information should you have any questions or concerns about the way we handle your personal data. It also explains how you can contact the data protection regulator should you be unsatisfied with our response to your data protection issues.

Great Western Railway (GWR, we, our or us) is a trading name of First Greater Western Limited, a company registered in England and Wales under company number 05113733 whose registered office is at Milford House, 1 Milford Street, Swindon, Wiltshire, SN1 1HL.

We are registered as a data controller with the Information Commissioner's Office and our registration number is Z9382315.
This privacy policy applies to the personal data we collect about you through our website (www.gwr.com) (Website), by post, by telephone, in person (for example in stations and on board), through our apps and when you otherwise communicate with us.

This privacy policy may change from time to time and, if it does, the up-to-date version will always be available on our Website. We will also tell you about any important changes to our privacy policy.
This section informs you of what information we collect about you and why. Personal data means any information about an individual from which that individual can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, surname, username or similar identifier, marital status, title, date of birth, gender and CCTV footage.
- Contact Data includes billing address, delivery address, postcode, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details as to your journeys, details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile Data includes your username and password, purchases or orders made by you, any interests communicated to us to enable the personalisation of services, travel preferences, feedback and survey responses.
- Usage Data includes information about how you use the Website, products and services.
- Health Data includes information relating to your mobility and disability status to enable us to provide assisted travel and ensure that you receive the correct pricing and any information detailed within any accident reports that relates to personal injury or receipt of medical attention.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data is not considered personal data in law as this data does not directly or indirectly reveal your identity. An example of Aggregated Data would be where we use your Usage Data to calculate the percentage of users accessing a specific Website feature. If the Aggregated Data is combined with other personal data to directly or indirectly identify you, we will treat this combined data as personal data and in accordance with this privacy policy.

Special Category Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not seek to collect or otherwise process your Special Category Data, except where:
- we have obtained your explicit consent prior to processing your Special Category Data (e.g. you consent to us processing your Health Data to provide travel assistance services to you);
- the processing is necessary for compliance with a legal obligation;
- the processing is necessary for the detection or prevention of crime (including the prevention of fraud) to the extent permitted by applicable law;
- you have manifestly made those Special Category Data public;
- the processing is necessary for the establishment, exercise or defence of legal rights; or
- processing is necessary for reasons of substantial public interest and occurs on the basis of an applicable law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard your fundamental rights and interests.
We use different methods to collect data from and about you including through:

Direct interactions:
We collect personal data about you if you fill in forms on the Website or correspond with us by telephone, email or otherwise. This includes information you provide when you:
- register to use our Website or app;
- buy train tickets or other products or services;
- enter a competition, promotion or survey; or
- report a problem with our Website or give us feedback.
We may also ask you to share your personal data with us if it is necessary for us to provide our services to you – for example, we may ask if you require mobility assistance when travelling.

We may process personal data that you manifestly choose to make public, including via social media (e.g. we may collect information from your social media profile(s), to the extent that you choose to make your profile visible).

Automated technologies or interactions:
If you use our Website, we automatically collect the following information:
- web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform; and
- information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our Website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).
Where we collect information about you in the ways described above, we do so on the basis that it is in our legitimate interests to collect and process this data. In most situations this will be anonymised but we collect and process this data to ensure that our site is functioning properly and that our customer experience is to the standard that you and we expect.

The Website may, from time to time, contain links to and from the websites of advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

We also use cookies on our Website. Please see section 13 for more information.

No automated decision-making or profiling will take place using your personal data.

Information we receive from other sources:
We may receive information about you if you use any other website we operate or the other services we provide. We are also working closely with third parties, (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them, in particular where you purchase any of our products or services through such third parties. In addition, we may receive information about you from third parties who provide it to us (e.g. your employer, our customers and law enforcement authorities).

When we receive information from other sources, we rely on them having the appropriate provisions in place telling you how they collect data and who they may share it with. We carefully check our sources to ensure that we only receive your information when it is lawful for us to do so.

CCTV and Body Worn Video:
We employ CCTV, on-demand audio recording and body worn video (BWV) cameras to capture, record and monitor what takes place at our offices, stations, car parks and on our trains in order to help provide a safe environment for both our employees and customers, reduce the number of assaults on our employees and prevent, deter and detect crime.

BWV will only be activated when absolutely necessary. Prior to the record mode being activated, our employees will give notice that the camera is being activated and that it will make both a video and audio recording. For further information on CCTV and retention periods, please contact us using the details provided in section 13 below.

5. Purposes for which we will use your personal data

This section explains how we will use personal data you provide to us in order to carry out the activities relevant to the provision of our services to you.

We must have a legal basis for processing your personal data. We consider that we have a legal basis where:

you have given us consent to do so for the specific purposes which we have told you about - for example, we will need your consent to process any health information you provide to us, such as information relating to mobility;
it is necessary for us to do so to enable us to provide you with the services that you have requested from us - for example, contacting you about your journey;
it is necessary in order to fulfil our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
the law otherwise permits or requires it.

Where we process your personal data on the basis of our legitimate interests, these are our (or our third party’s) interests in providing our services to you in an efficient and secure manner.

We have set out below a list of all the ways we may use your personal data and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

In some cases we may use more than one legal basis for processing your personal data; this will depend on the specific purpose for which we are using your personal data. Please contact us in section 13 if you have any queries about the specific legal basis that we rely on for processing your personal data.

What we use your personal data for (purpose)	Type of data	Legal basis for processing (including basis of legitimate interest)
To register you as a new customer	(a) Identity (b) Contact	Performance of a contract with you
To carry out our obligations arising from any contracts entered into between you and us including: (a) managing payments, paying refunds or compensation, fees and charges; (b) collecting and recovering money owed to us; (c) running fraud checks if we have reasonable suspicions; (d) provide you with the information, products and services that you request from us including, but not limited to, contacting you about your journey;	(a) Identity (b) Contact (c) Financial (d) Transaction (e) Health (f) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us, to pay refunds or compensation owed to you and to prevent us facilitating fraud)
To respond to your enquiries or to process your requests in relation to your information	(a) Identity (b) Contact	Performance of a contract with you
To maintain a suppression list should you opt-out of receiving communications	(a) Identity	Necessary for our legitimate interests (to ensure that we are not at risk of breaching data protection laws by communicating with you where you have asked us not to)
To manage our relationship with you which will include: (a) notifying you about changes to our Website, services, terms or privacy policy; and (b) asking you to leave a review or take a survey	(a) Identity (b) Contact (c) Profile (d) Marketing Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to recover debts due to us)
To help provide a safe environment for our employees and customers; to reduce the number of assaults on our employees during revenue enforcement duties; and to improve the quality of evidence available for submission to the authorities	(a) Identity	(a) Necessary for our legitimate interests (to protect employee and customer safety and assist with the verification of claim)
To enable you to partake in a prize draw, competition or complete a survey	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and the Website (including training our employees, troubleshooting, data analysis, testing, system maintenance, security audits, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Profile	(a) Necessary for our legitimate interest (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation (c) Performance of a contract with you
To conduct health and safety assessments and record keeping; and compliance with related legal obligations	(a) Identity (b) Contact (c) Profile (d) Health	(a) Necessary for our legitimate interest (in providing a safe and secure environment at our premises) (b) Necessary for compliance with a legal obligation (c) Necessary to protect the vital interests of any individual
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing Communications (f) Technical	Necessary for our legitimate interest (to study how you use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve the Website, products/services, marketing, customer relationships and experiences	(a) Technical (b) Usage	Necessary for our legitimate interests (to define types of customers for our products and services, to keep the Website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that we feel may interest you	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing Communications	Necessary for our legitimate interest (to develop our products/services and grow our business)
To establish, exercise and defend our legal rights	(a) Identity (b) Contact (c) Financial (d) Transactional (e) Technical (f) Profile (g) Usage (h) Health (i) Marketing Communications	(a) Necessary for compliance with a legal obligation (b) Necessary for our legitimate interest (for the purpose of establishing, exercising or defending our legal rights)

This section is to explain how we will ensure that you only receive communications that you wish to receive:

Marketing communications:
We can only use your personal information to send you marketing messages if we have either your consent or a ‘legitimate interest’. A ‘legitimate interest’ is when we have a business or commercial reason to use your information. It must not unfairly go against what is right and best for you.

The personal data we have for you is made up of what you tell us, and the data we collect about you when you use our services, or data provided to us from third parties we work with. We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

We want to ensure that you are informed and aware of the best products, services, promotions and events that we can offer you. By consenting to receive additional communications (by mail, telephone, SMS, text/picture/video message, app push notifications or email) from us and any named third parties that feature at the point of obtaining consent in respect of such information, we will process your personal data in accordance with this privacy policy.

If you have provided your consent to receive marketing communications from us and you change your mind, you can change your preferences and unsubscribe at any time by unsubscribing from the relevant communication channel, changing your preferences in the preference centre or by contacting us at GWR-DPO@gwr.com. If you choose not to receive this information we will be unable to keep you informed of new products, services and promotions that may interest you.

Whatever you choose, you'll still receive booking confirmations and other important information, for example service updates.

Service communications:
As detailed in the table at section 6, we may send you communications such as those which relate to any service updates (e.g., service disruption) or provide customer satisfaction surveys. We consider that we can lawfully send these communications to you as we have a legitimate interest to do so, namely, to effectively provide you with the best service we can and to grow our business.
This section is to explain who, within GWR, will have access to your data. Your personal data will only be seen or used by our employees who have a legitimate business need to access your personal data for the purposes set out in this privacy policy.

We take your privacy seriously and have implemented appropriate physical, technical and organisational security measures designed to secure your personal data against accidental loss, destruction or damage and unauthorised access, use, alteration or disclosure.

Purchasing a Railcard

We will collect personal data (including your name, age, email address, photograph, and previous railcard details) when you purchase or use Railcards at GWR.com. For age-specific Railcards we will require details from either a UK driving license, International Passport or National Identity Card to verify your date of birth. Depending on which Railcard you are purchasing we may also ask for additional information:
- 16-25 Railcard: For mature students, we also require confirmation of your attendance at a university/college.
- Family & Friends Railcard: If you decide to have a second cardholder named on the card, we will need their name.
- Two Together Railcard: We require the name of the second cardholder and photographs of both you and the second named cardholder.
Neither the Passport number nor Driver’s Licence number are retained, these being used solely for the purpose stated above and below. Some Railcards are residency dependent, i.e., you must live in a specific geographic area. For these cards we may ask you to supply evidence of your address, for example, a utility bill or council tax bill. If you are asked for this information we will retain it for a period of 30 (thirty) days in order for us to conduct any address verification necessary. After this time the data will be securely deleted.
- We collect this info for the purpose of retailing you Railcards and checking your eligibility for purchase of certain Railcards.
- We will share your data (your name and email address) with ATOC Ltd, trading as Rail Delivery Group (RDG). They act as a joint Data Controller for the purposes of selling and administering Railcards. For more information, please see ATOC’s Privacy Policy.
This section will inform you of who we share your personal data with and why. Except as explained in this privacy policy, we will not share your personal data without your consent unless required to do so by law.

We may share your personal data with you, and where appropriate, your family, your associates and your representatives.

We may share your personal data with our ultimate holding company (FirstGroup plc), and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006. For example, where we facilitate the ability to book corporate travel through our Business Direct platform, your personal data may be accessible by another member of our group which also makes use of the platform.

We may disclose your personal data to the British Transport Police or any other law enforcement agency or court to the extent necessary for purposes including preventing, investigating, detecting, and prosecuting criminal offences; preventing threats to public security in accordance with applicable law; or validating a claim.

We may share your personal data with the following third-parties who assist us with administering the provision of our services to you:
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
- analytics and search engine providers that assist us in the improvement and optimisation of our site and marketing strategy;
- other rail industry bodies including the Office of Rail and Road, other Rail Operators, Network Rail, Transport Focus, the Department for Transport, ATOC Ltd, trading as Rail Delivery Group (RDG), Great British Railways (GBR), Transport for the North and London TravelWatch, in order to comply with our regulatory obligations and to help resolve complaints or other issues; and
- agents we engage to perform functions on our behalf including fulfilling order deliveries, repaying compensation claims for delay, sending customer communications, analysing data, providing marketing assistance, processing payments, issuing and obtaining payment for penalty fares or fines, researching customer satisfaction, and providing customer service. They have access to personal data needed to perform their functions, but may not use it for other purposes.
We may also pass aggregated data on the usage of our site (e.g. we might disclose the median ages of visitors to our site, or the numbers of visitors to our site that come from different geographic areas) to third parties but this will not include information that can be used to identify you personally.

If a business transfer or change of business ownership takes place or is envisaged or if our rail franchise is awarded to another company in the future, we may transfer your personal data to the Secretary of State for Transport and/or the new owner (or a prospective new owner) or the new franchisee. If this happens, you will be informed of this transfer.
This section explains how we keep your personal data safe and where it will be held.

We take your privacy seriously and are committed to maintaining the privacy and security of the personal data you provide to us, and the choices you have regarding our collection and use of your personal data.

Once we have received your personal data, we follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised access.

Any payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. You should not share this information with anyone.

The information that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom (UK). When we transfer and store your personal data outside of the UK we will ensure that it is adequately protected by using appropriate safeguards as further detailed below.

Staff operating outside the UK who work for us, or one of our suppliers, may process the information. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services;

Where your personal data is transferred from the UK to a recipient outside the UK in a country not recognised by the United Kingdom as providing an adequate level of protection for personal data, such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data including but not limited to Standard Contractual Clauses (the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which can be found here (PDF, 776 KB))

Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.
This section explains the length of time that we will retain your personal data.

We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:

(1) we will retain your personal data in a form that permits identification only for as long as:
- we maintain an ongoing relationship with you; or
- your personal data is necessary in connection with the lawful purposes set out in this policy for which we have a valid legal basis.
plus
(2) the duration of:
- any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data may be relevant); or
- an additional reasonable period following the end of such applicable limitation period.
and

(3) in addition, if any relevant legal claims are brought, we may continue to process your personal data for such additional periods as are necessary in connection with that claim.

During the periods in paragraphs (2)a and (2)b above, we will restrict our processing of your personal data to the storage of, and maintaining the security of, those data, except to the extent that those data need to be reviewed in connection with any legal claim or obligation under applicable law.

After this period your personal data will be anonymised so that you are no longer identified or identifiable from such information, or securely deleted/destroyed.

Any third parties that we engage will keep your data stored on their systems for as long as is necessary to provide the relevant services to you or us. If we end our relationship with any third party providers, we will make sure that they securely delete or return your personal data to us.

The retention periods for CCTV and BWV vary depending on the location and system in use. Such periods tend not to exceed 30 days and will always be reasonable or as long as is required by law. For more information please contact us using the details provided in section 13.

If you have purchased a Railcard, we will keep your data while your Railcard is valid and for two years thereafter to enable you to renew easily within that period (with the exception of your identity verification data, retained for 30 days).

We may retain personal data about you for statistical purposes (for example, to help us better advertise our services). Where data is retained for statistical purposes it will always be anonymised, meaning that you will not be identifiable from that data.
This section explains that you have a number of rights in relation to your personal data. There are circumstances in which your rights may not apply. You have the right to request that we:
- provide you with a copy of the information we hold about you;
- update any of your personal information if it is inaccurate or out of date;
- delete the personal data we hold about you - if we are providing services to you and you ask us to delete personal data we hold about you then we may be unable to continue providing those services to you;
- restrict the way in which we process your personal data;
- stop processing your data if you have valid objections to such processing; and
- transfer your personal data to a third party.
For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us using the details provided in section 13. We will respond to all such requests within the time period required by law. Occasionally it may take us longer, if your request is particularly complex, you have made a number of requests or you have not supplied the information we need to respond to you. In this case, we will notify you and keep you updated.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

As explained in the section on Communications above, even if you consented to the processing of your personal data for marketing purposes (by ticking the relevant box or by requesting information about services), you have the right to ask us to stop processing your personal data for such purposes. You can exercise this right at any time by unsubscribing from the relevant communication channel, changing your preferences in the preference centre or by contacting us at GWR-DPO@gwr.com.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
The Website uses cookies. Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website. For more information please see our Cookies Policy.
If you have any questions or concerns about how we handle your personal data, you can contact us using any one (or more) of the following:

Post: MH101, GWR, Milford House, Swindon, SN1 1HL

Email: GWR.DPO@firstgroup.co.uk

Telephone number: 0345 7000 125

Alternatively, you can contact us through the Contact Us section of the Website.

We have appointed a Data Protection Officer. They are responsible for our approach to data protection and protecting your privacy. You can contact them at GWR.DPO@firstgroup.co.uk.

If you are unsatisfied with our response to any data protection issues you raise with us or our DPO, you have the right to make a complaint to the Information Commissioner’s Office (ICO). The ICO is the authority in the UK which is tasked with the protection of personal data and privacy.

Cookie policy

Last updated: 20 February 2023

This policy explains how our website, mobile app and Wi-Fi portal use cookies.

What is a cookie?

Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website.

Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device.

Cookies in themselves do not identify you, just the computer or device you are using. Cookies do lots of different jobs, like making it easier for you to log onto, and use, our site during future visits, letting you navigate between pages efficiently, remembering your preferences, and generally improving your experience. They also allow us to monitor traffic on our site and can also help to ensure that advertising you see online is more relevant to you and your interests.

Cookies themselves only record which areas of our site have been visited by your computer or device and for how long. Allowing us to create a cookie does not give us access to the rest of your computer, and does not allow us to see any personally identifiable data about you.

Types of Cookies

We've arranged the Cookies we use into three groups:

a) Required cookies: These Cookies are necessary for core features of this site to operate properly. Because they are needed for the site’s operation, they are always set to "Active". They include, for example, cookies that enable you to log into secure areas of our website or make a purchase.

b) Functionality cookies: These Cookies allow us to analyze site usage in order to evaluate and improve its performance. They are also used to provide a better user experience on the site, such as by measuring interactions with particular content or remembering settings.

c) Advertising cookies: These Cookies are used by advertising companies to inform and serve personalized ads more relevant to your interests. These Cookies also may facilitate sharing information with social networks or recording your interactions with particular ads.

Cookies we use

You can find more information about the individual cookies we use and the purposes for which we use them in the table below. If you choose not to accept any Functionality or Advertising cookies or your browser is not compatible with our cookie preference tool we will only use Required cookies.

Host domain	File name	Category
gwr.com	__qca	Required Cookies
	__utma
	__utmb
	__utmt
	__utmz
	_dc_gtm_UA-3373558-4
	_dc_gtm_UA-3373558-9
	_fbp
	_ga
	_ga_ELB0V24W3R
	_gat
	_gat_UA-3373558-7
	_gat_UA-3373558-9
	_gat_gwrTracker
	_gcl_au
	_gid
	_uetsid
	_uetvid
	access_token
myaccount.gwr.com	__utma	Required Cookies
	__utmb
	__utmt
	__utmz
tickets.gwr.com	16371.vst	Required Cookies
	__storejs__
	perm_track
www.gwr.com	8195ad43-5efe-446e-9308-62df4df983e9	Required Cookies
	access_token
	arrivalStation
	departureStation
	fcuEnabled
	firstTimeSignUpFormVisitor
	md-params
	mixingDeck
	qttFirstStage
www.railhelp.co.uk/gwr	ASP.NET_SessionId	Required Cookies
	BrowserId
google.com	_GRECAPTCHA	Required Cookies
www.railhelp.co.uk/gwr	SC_ANALYTICS_GLOBAL_COOKIE	Functional Cookies
	_ga
	_gid
	sitecore_userticket
	__RequestVerificationToken
	__CSRFCOOKIE
	sc_fv
	shell#lang
	scContentEditorFolder
www.railhelp.co.uk/gwr	X-Salesforce-CHAT	Functional Cookies
paypal.com	LANG	Functional Cookies
	enforce_policy
	l7_az
	ts
	ts_c
	tsrce
veinteractive.com	6C146901-FA2B-4E7B-A30C-D1167FC65E93	Functional Cookies
	__ssid
adsrvr.org	TDCPM	Advertising Cookies
	TDID
bidswitch.net	c	Advertising Cookies
	tuuid
	tuuid_lu
bing.com	MUID	Advertising Cookies
doubleclick.net	IDE	Advertising Cookies
	test_cookie
facebook.com	fr	Advertising Cookies
linkedin.com	AnalyticsSyncHistory	Advertising Cookies
	UserMatchHistory
	bcookie
	lidc
	lang
	li_gc
quantserve.com	mc	Advertising Cookies
volvelle.tech	c	Advertising Cookies
	ouuid
	ouuid_lu
www.linkedin.com	bscookie	Advertising Cookies

Cookies and similar technologies set by third parties

On some pages of our site other organisations, for example Facebook and other platforms (such as Twitter, Instagram, Snapchat and Amazon), may also set their own cookies or use other similar technologies (e.g. web beacons, pixels and local storage technologies) to collect or receive information from our website or elsewhere on the internet and use that information to provide measurement services and target ads. Because of how these technologies work, our site cannot access this information. These third parties are responsible for setting out their own cookie and privacy policies.

You can opt-out of the collection and use of information for ad targeting at websites such as:

http://www.aboutads.info/choices
http://optout.networkadvertising.org/
http://www.youronlinechoices.com/uk/your-ad-choices

Facebook also provide certain features (e.g. pixels, SDKs and APIs) which are known as Facebook tools. We may use these Facebook tools to optimise our communication and improve targeted communications through Facebook, Instagram and the Facebook Audience Network.

Google provide advertising services through Google’s advertising and marketing platforms (e.g. DoubleClick for Publishers, Google AdX, and Adwords). AdWords remarketing cookies allow us to target our advertising across Google search and other websites to people that have previously visited this website.

Google also uses various conversion cookies to help advertisers determine how many times people who click on their ads end up purchasing their products. These cookies allow Google and the advertiser to tell that you clicked the ad and later visited the advertiser site. To opt out of Google Analytics across all sites, you may install the Google Analytics Opt-Out Browser here. To opt out of Google Analytics for display advertising or customize Google display network ads, you can visit the Google Ads Settings page.

These links may also assist you:

https://adssettings.google.com
https://www.amazon.co.uk/adprefs
http://www.facebook.com/ads/preferences
http://www.google.com/policies/privacy/ads
https://help.instagram.com/615366948510230
https://support.snapchat.com/en-GB/a/advertising-preferences
https://about.ads.microsoft.com/en-gb/resources/policies/personalized-ads
https://help.twitter.com/en/safety-and-security/privacy-controls-for-tailored-ads
https://www.linkedin.com/help/linkedin/answer/90274/manage-your-linkedin-ads-settings?lang=en

Changing cookie settings

When visiting our website for the first time on a device you will see a cookies banner explaining that we use cookies, why we use them and providing a link to this document. This banner gives you a settings option for our website. If you click on this, you can turn certain cookies on and off. You can access these settings and change your choices at any time in the future by clicking on the Cookies Settings link at the top of our website pages. Please be aware that if you turn cookies off certain features of our website will not work.

In addition, with most Internet browsers, you can erase or block cookies or ask to receive a warning before a cookie is stored. The “Help” function within your browser should tell you how. Alternatively, you may wish to visit the following sites:

www.youronlinechoices.eu
www.aboutcookies.org
www.allaboutcookies.org

which contain comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies.

Please be aware that restricting cookies may have a negative impact on the functionality of the Website.

Cookies that have been set in the past

If you have disabled one or more Functionality or Advertising cookies, we may still use information collected from cookies prior to your disabled preference being set, however, we will stop using any disabled cookies to collect any further information.

At a glance this is what you need to know

Contents

1. About Great Western Railway

2. About this privacy policy

3. What personal data do we collect about you?

4. How is your personal data collected?

5. Purposes for which we will use your personal data

6. Communications

7. Who will have access to your personal data?

8. Who else might we share your personal data with?

9. How do we protect your personal data?

10. How long do we keep your personal data?

11. What are your rights?

12.Cookies

13. Who can you ask for more information?

1. About Great Western Railway

2. About this privacy policy

3. What personal data do we collect about you?

4. How is your personal data collected?

Direct interactions:

Automated technologies or interactions:

Information we receive from other sources:

CCTV and Body Worn Video:

5. Purposes for which we will use your personal data

6. Communications

Marketing communications:

Service communications:

7. Who will have access to your personal data?

Purchasing a Railcard

8. Who else might we share your personal data with?

9. How do we protect your personal data?

10. How long do we keep your personal data?

11. What are your rights?

12. Cookies

13. Who can you ask for more information?

Cookie policy

What is a cookie?

Types of Cookies

Cookies we use

Cookies and similar technologies set by third parties

Changing cookie settings

Cookies that have been set in the past