Privacy Policy


We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us. We seek at all times to comply with the General Data Protection Regulation (GDPR).

 Who we are

The Cambrian Rail Partnership, in partnership with Ceredigion County Council, collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the GDPR which applies across the European Union (including in the UK) and we are responsible as ‘controller’ of that personal information for the purposes of the GDPR. The GDPR will be supplemented in due course by additional UK specific data protection legislation.

 What personal information do we collect?

We collect personal information about you when you:

• Contact us for information using our email channels, either direct contact or via our web forms.
• Through the use of certain data capturing devices (for example studying which pages of our website you read the most through the use of cookies).

How do we collect information?

You may give us the information orally, by web form, email, telephone or by letter. You may also give information to booking agents acting on our behalf or booking agents who seek to purchase a service from us.

How long do we keep your personal data?

We keep your personal data for a period of seven years from the date of collection of that personal information

How do we use your information?

We use the information:
• To provide information that you may require regarding the services that we offer
• To comply with our statutory and regulatory obligations
• To send you marketing communications
• To administer competitions

Disclosure of your information

Some of the information you provide to us may be transferred to, stored and processed by third party organisations who process data on our behalf. These third parties may be based (or store or process information) in the United Kingdom, or elsewhere including outside of the European Economic Area (EEA). These third parties may include third party IT platforms (including cloud-based platforms), suppliers of administrative and support services and suppliers of other specialist products.

We may be obliged to disclose data by order of a court, by statute or by order of the Office of Rail and Road Regulation, or we may be permitted to disclose it under applicable data protection laws in other circumstances.

How do we protect your information?

All our computers are protected by firewalls and reputable anti-virus software to which all patches and updates are applied as soon as possible. External servers are similarly protected and provided by organisations we trust. Our computers and programmes are protected by passwords. Information in hard form is kept in locked drawers or filing cabinets.

Where we transfer information to third parties to enable them to process it on our behalf, we ensure that the providers meet or exceed the relevant legal or regulatory requirements for transferring data to them and keeping it secure.

We may transfer your personal information to countries which are located outside the European Economic Area (EEA) or UK as follows:

• When using outsourced IT or other administrative support services
• When you are located outside of the EEA

Such countries do not always have the same data protection laws as the United Kingdom and EEA but will ensure that where information is transferred to a country or international organisation outside of the UK/EAA, we will comply with the relevant legal rules governing such transfers that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.

Do we use cookies?

Cookies are small routines which enable the location and type of your computer or device, and browsing behaviour, to be identified. The only cookies we use are for Google Analytics, which report to Google how our web pages and AdWords advertisements have been used. This information is available to us only in aggregated form, so that we can never identify a particular user. Responsibility for safeguarding this data rests with Google. You can set preferences in your own browser, for each machine you use.

What are your rights concerning our use of your personal information?

Under GDPR your rights include:

• Right of access. You may request to see what data we hold about you
• Right to rectification and data quality. You may require us to correct data which are inaccurate or incomplete
• Right to erasure including retention and disposal. The right to be ‘forgotten’. If you have had no contract with us, this can be done immediately. If you have had a contract, we must retain relevant data for seven years. Data older than this can be deleted, though we need to retain your name in our archives as a marker for past transactions
• Right to restrict processing. In this case we can retain the data but not use it
• Right of data portability. This does not apply as we do not process data by automatic means.
• Right to object, or to withdraw consent. You can ask us to stop sending you direct marketing communications (e.g. brochures or email newsletters). Note that an ‘unsubscribe’ request will stop future mailings, but that if you require your data to be deleted you must specifically notify us.

If you wish to exercise any of these rights, please email or write to us, and we will respond appropriately as quickly as possible. Furthermore, if you would like to discuss this policy, ask how we use your personal information, provide feedback or make a complaint please email or write to us.