Privacy policy


Protecting your privacy is important to us. This policy explains how any information you give to us is used and stored so that you remain informed and in control of your information, your privacy choices when using our website or apps and your right to access your information.

Following changes to GDPR (General Data Protection Regulation) from May 2018, we introduced a new approach that relies on you giving us your consent about how we can contact you. This means you’ll have the choice as to whether you want to receive these messages and be able to select how you want to receive them (email, phone or post).

You can decide not to receive communications or change how we contact you at any time. If you wish to do so please either e-mail [email protected] or write to Data Protection at Cardiff bus, Head Office, Sloper Road, Cardiff CF11 8TB.

1. About us

In this policy whenever you see the words we, us or our, this refers to Cardiff City Transport Services Ltd (Cardiff bus). Your personal data (i.e. any information which identifies you, or which can be identified as relating to you personally) will be collected and used by Cardiff bus, a private limited company registered in Wales with registration number 2001229 and ICO registration number Z4990159.

2. Questions?

Any questions you have in relation to this policy or how we use your personal data should be sent to [email protected] or addressed to Data Protection at Cardiff bus, Head Office, Sloper Road, Cardiff CF11 8TB.

3. How we may collect information from you

We collect data you provide to us for specific activities including:

  • Signing up to one of our iff card travel schemes
  • Dealing with your enquiries / complaints or to deal with accident or claim you might have
  • Registering certain financial information when you apply for an iff card under one of our travel schemes
  • If you apply for an iff card for a member of your family, your details as well as the recipients and your relationship to that person will be recorded
  • Providing information about yourself with regards online job applications
  • Subscribing to newsletters, alerts or other services from us
  • Taking part in a competition, prize draw or survey
  • Visit or browse our website
  • Use one of our “apps”
  • CCTV on vehicles and site

4. What personal information we collect

The personal information we collect depends on the service you use and what you subscribe to. It includes (but is not limited to):

  • Name, address, telephone number, date of birth and e-mail address
  • Credit or debit card information
  • Information about your bank account number and sort code when you set up a direct debit
  • Your contact with us – such as a note or recording of a call you make to our Customer Service department, an email or letter you send to us or other records of any contact you have with us
  • Information detailed in an online job application
  • CCTV images
  • Cookies on our website
  • App information

4a. Young person’s personal data

Young person (16-21yr old) iff cards

Our Young person iff cards are issued in line with the Welsh Government scheme to provide children between the ages of 16 and 21 years with discounted travel. To issue the passes we need to collect information regarding the child’s name, date of birth, address and a photograph which is printed onto the card. Application is via e-mail or in person at our Head office.

School iff cards

“School” cards are issued on request from the local authority. To process these cards we need to collect the child’s name, date of birth, which school they attend, the name of the person from the local authority who is authorising the travel pass and their home address so that cards can be sent directly to their home address. 

College iff cards

The college iff cards are issued in conjunction with the young person’s college enabling them to receive discounted travel on our buses. To issue these passes we need to collect the young person’s name, date of birth, address and college i.d. number. These cards are sent to the college who then distribute them to the individual.

We don’t ask children / young persons for consent to marketing communications so they don’t receive them unless they ask for them.

4b. Sensitive personal data

We do not normally collect or store sensitive personal data (such as information relating to a persons’ health or beliefs) about customers. However, there are some situations where this may occur for example if in the unfortunate event you have an accident on or with one of our vehicles.  In addition, if you apply for a position with us via our online recruitment system, then there is certain sensitive data that is requested. When this happens, we’ll take extra care to ensure your privacy is protected.

5. How we may use the information you give us

We only ever use your personal data with your consent, or where it is necessary for us to:

  • Enter into or perform a contract with you
  • Comply with a legal duty
  • Protect your vital interests
  • Is a legitimate interest

We’ll never sell your personal data and will only share it with organisations we work with and when it’s necessary and the privacy and security of your data is assured. However, we may forward your personal details to the Police or another regulatory body if we are asked to do so or wish to do so in order to comply with the law.

5a. Cookies and social media features

The Cardiff bus website contains features which may collect your IP address, which page you are visiting on our website and may set a cookie to enable the feature to function properly. Cookies are pieces of data that are created when you visit a website, Cardiff bus website usage is monitored through a web analytics service provided by Google. Further information on cookies can be found in our cookie policy.

6. How we protect data

We use a variety of both technical and physical measures to keep your data safe and to prevent unauthorised access to, use, or disclosure of your personal information.

Electronic data and databases are stored on secure computer systems and we control who has access to information. Our employees who have access to personal data are obliged to respect the confidentiality of your personal data.

Cardiff bus website contains hyperlinks to websites owned and operated by third parties. These third party websites have their own privacy policies and are also likely to use cookies, please take time to review them. They will govern the use of personal information you submit when you visit these websites. We do not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.

Again, communications over the internet (such as emails) aren’t secure unless they’ve been encrypted. Your communications may go through a number of countries before being delivered – as this is the nature of the internet. We can’t accept responsibility for any unauthorised access or loss of personal information that’s beyond our control.

6a. Payment security

All electronic Cardiff bus forms that request financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.

If you use a credit card to top up your iff card on-line we will pass your credit card details securely to our payment provider (Datacash). Other payment methods (e.g. ApplePay) are handled in a similar manner. Cardiff bus complies with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will never store card details.

Of course, we cannot guarantee the security of your home computer or the internet, and any online communications (e.g. information provided by email or our website) are at the user’s own risk.

7. Storage of data

We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements.


CCTV is in operation on our vehicles and at our depot site and you may be recorded when you use the bus or visit our site. CCTV is in operation to protect you and also Cardiff bus. However, CCTV will only be viewed when necessary (e.g. to prevent crime, investigate traffic accidents) and footage is only stored temporarily. Unless it is requested for viewing, CCTV will be recorded over. Whenever CCTV is used notices will be placed accordingly.

9. Keeping you in control

We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:

  • the right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request);
  • the right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
  • the right to have inaccurate data rectified;
  • the right to opt out of marketing communications that we may send you any time;
  • where technically feasible, you have the right to personal data you have provided to us which we process automatically on the basis of your consent or the performance of a contract. This information will be provided in a common electronic format.
    Please keep in mind that there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
    If you would like further information on your rights or wish to exercise them, please write to Data Protection at Cardiff bus, Head Office, Sloper Road, Cardiff, CF11 8TB or email [email protected]
    Cardiff bus may charge a fee for responding to a subject access request. If that is the case, we will advise you that a fee is payable before responding substantively in writing to the postal or electronic request you provided.
    Requests will generally be dealt with within one month of receipt of the request, however there could be an extension to that timescale (which you will be informed about) if the request is complex or numerous.

10. Changes to our Privacy policy

Cardiff bus may update this policy from time to time to ensure that it remains up to date and effective.  We will post any update(s) to this policy on our website; all update(s) will be effective immediately on posting.

This policy was last updated on 06.10.2020