Show search form
Close search

Website and marketing privacy policy

Website and Marketing

This privacy notice explains how we collect, process and store your personal data:

  • Through your use of our website
  • When we market to you

Our website and marketing are not intended for children, and we do not knowingly collect personal data relating to children.

Please note that where we provide passenger WiFi, we do so as a processor on behalf of the relevant controller. As a processor, we have a contractual relationship with the controller, which documents our respective responsibilities and liabilities in relation to data protection. For the avoidance of doubt, this privacy notice does not relate to your use of passenger WiFi. If you have any questions concerning how the controller uses your personal data, including in relation to passenger WiFi, please refer to the relevant controller’s privacy notice.

Further, we have a separate and internal privacy notice for employees. If you have any questions in relation to the same, please do not hesitate to contact us.

pile of scrap paper

Who we are

We are Nomad Holdings Limited, whose registered office is at The Place, 8th Floor, High Holborn, London, England WC1V 7AA with company number 05871463. Nomad Holdings Limited is registered with the Information Commissioner’s Office (“ICO”) with registration number ZA437312.

Nomad Holdings Limited has the following subsidiaries:

  • Nomad Digital Limited
  • Nomad Digital GmbH
  • Nomad Digital Pty Limited
  • Nomad Digital BV
  • Nomad Digital Inc
  • Nomad Digital ApS
  • Nomad Digital Belgium
  • Nomad Digital France
  • Nomad Digital Italia S.r.l.

hereinafter referred to as the “Group”.

Please note that any marketing email that we send to you will come from Nomad Holdings Limited, however the content of such correspondence may refer to any member of the Group. This will be made clear to you when you opt-in to receive marketing from us.

Data Protection Officer

We have appointed a Data Protection Officer, who is responsible for overseeing Nomad’s ongoing commitment to data protection and privacy. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our Data Protection Officer using the details set out below.

How to contact us

Email address: dpo@nomadrail.com

Postal address: FAO Data Protection Officer, Nomad Digital, One Trinity, 5th Floor, Broad Chare, Newcastle upon Tyne, United Kingdom NE1 2HF

Telephone number: +44 (0) 3300889320

Your right to complain

You have the right to make a complaint at any time to the ICO or your local supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the ICO or your local supervisory authority, so please Contact Us in the first instance.

You can contact the ICO on 0303 123 1113 or www.ico.org.uk/concerns.

If you are based outside the UK, you have the right to lodge your complaint with the supervisory authority in your country of residence.

Personal data that we collect about you

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed.

We may collect, use, store and/or transfer different kinds of personal data about you, which we have grouped together as follows:

  • Identity Data – includes your first name, last name, title, the company that you work for and the geographic region in which you are located
  • Contact Data – includes your email address
  • Usage Data – includes information about how you use our website, products, services and solutions
  • Marketing and Communications Data – includes your preferences in receiving marketing from us

Please note that we do not collect any special categories of personal data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

How is your personal data collected?

You may give us your Identity, Contact, and Marketing and Communications Data by filling in forms, or by corresponding with us by email or otherwise. This includes personal data that you provide us with when you request marketing to be sent to you.

If you do not agree with how we will process your personal data (i.e. in accordance with this privacy notice), then we ask you not to provide your personal data to us.

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where you have provided your consent
  • Where it is necessary for our legitimate interests, e.g. where we have business or commercial reasons to use your personal data, however, we will never put our legitimate interests about what is best for you

The below table demonstrates the purposes for which we may use your personal data, including the type of personal data and the lawful basis:

Personal corporate email addresses

We may collect your personal corporate email address when – for example – we exchange business cards with you at an event, or as part of our day-to-day business relationship with you. Whilst personal corporate email addresses – i.e. firstname.lastname@company.com – constitute personal data and will be subject to the relevant data protection legislation, they generally do not benefit from the rules on direct marketing and consent. This means that organisations – including Nomad Digital – may market to you by email without receiving your opt-in consent. That said, it serves little purpose for us to contact you if you do not want to hear from us, so you can unsubscribe at any time. You will always be given a clear opportunity to unsubscribe each time you receive a communication from us.

Third parties

We do not share your personal data with any third parties outside the Group unless we are legally required to do so. We may disclose your personal data if we are under a legal obligation to do so, to prevent fraud, or to protect our rights, property, or the safety of our customers, suppliers or employees.

We may share your personal data in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets, or if we or substantially all of our assets are acquired by a third party, in which case personal data held by us will be one of the transferred assets.

If your personal data is provided to any third parties, you are entitled to request details of the recipients of your personal data or the categories of recipients of your personal data.

Cookies

You can set your browser to disable cookies. If you disable cookies, some parts of our website may become inaccessible or not function properly. For more information about how we use cookies, please refer to our Cookies Policy.

Change of purpose

We will only use your personal data for the purposes for which we originally collected it. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis upon which we propose to do so.

International transfers

We may share your personal data within the Group. This may involve transferring your personal data outside the European Economic Area (“EEA”), including Australia, the USA, Canada and the UK (post-Brexit).

With the exception of the USA, Australia and the UK (post-Brexit), all Group entities are situated in countries that have received some form of adequacy decision by the European Commission, meaning that ND only transfers your personal data to and between countries where they are deemed to provide an adequate level of protection and have appropriate data protection and security practices in place. The transfer of personal data between ND entities – including the USA, Australia and the UK – is nevertheless governed by the Standard Contractual Clauses in their entirety and without amendment, which all ND entities have signed up to. The transfer of personal data between ND entities is subject to regular review; ND regards its current safeguards as appropriate.

There may be exceptional circumstances where your personal data is transferred outside of the Group, to a country not covered by the GDPR or in receipt of some form of adequacy decision by the European Commission. If this happens, ND will ensure that your personal data is transferred in such a way that is adequately safeguarded, either by ensuring that the Standard Contractual Clauses are in place or – more likely – by managing the flow of your personal data to ensure that any transfer to a non-Group third-party occurs in-country.

Data security

We have put in place appropriate security measures to prevent your personal data being accidentally lost, used or accessed in an unauthorised way, or altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach, and we will notify you and any applicable supervisory authority of a breach where we are legally required to do so. We are obliged to notify the Information Commissioners Office without undue delay, and where feasible, no later than 72 hours of becoming aware of a personal data breach, unless we consider that the personal data breach is unlikely to result in a risk to your rights and freedoms.

In relation to its EU entities, ND previously relied on the One-Stop-Shop concept, meaning that the ICO would be the lead authority in relation to cross-border processing. In practice, this meant that, if – for example – ND needed to report a personal data breach involving data subjects in the UK, France and Belgium, it would report to the ICO (as its local supervisory authority) and the ICO would investigate in the context of the UK, France and Belgium. Post-Brexit, however, ND will be unable to continue to rely on the One-Stop-Shop concept. As a result, in the example of a personal data breach involving data subjects in the UK, France and Belgium, ND would report to the ICO plus one of France or Belgium (who would act as the One-Stop-Shop for affected data subjects in the EU).

Data retention

We will only retain your personal data for as long as is necessary to fulfil the purposes for which we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. You may also provide information to us when completing forms on our website. In these circumstances, this information will be held by us for 30 days before being deleted. Please note, however, any information provided to us for marketing purposes will only be deleted when you unsubscribe.

In certain circumstances, we may anonymise your personal data so that it can no longer be associated with you so that we can use this for business planning and other business uses which are in our legitimate interests. When we do this, we may use such anonymised information without further notice to you.

Your legal rights

In certain circumstances, you have the following legal rights in relation to your personal data:

  • To request access to your personal data that we hold
  • To request correction of the personal data we hold about you if it is incorrect, out of date or incomplete
  • To request erasure of your personal data
  • To object to processing of your personal data (please see further below)
  • To request the processing of your personal data be restricted
  • To request the transfer of your personal data so that it can be transferred to you or a third party that you have chosen
  • To request we discontinue any consent-based processing of your personal data after you withdraw that consent. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain things to you and/or the App may not work as effectively

You have the right to object, at any time, to the processing of your personal data which is necessary for the purposes of the legitimate interests pursued by us or a third party, including where we undertake any form of automated processing of your personal data, consisting of the use of personal data to evaluate certain personal aspects relating to you, such as analysing or predicting your personal preferences. If you object to the processing, we must no longer process that personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or that the processing is required for the establishment, exercise or defence of legal claims.

If you wish to exercise any of the above rights, please Contact Us. Please note that we may not be required to comply with your request. If this is the case, we will notify you.

You will not have to pay a fee to access your personal data. However, we may charge a reasonable fee if your request is clearly unfounded or excessive (particularly where requests are repetitive). Alternatively, we may refuse to comply with your request in such circumstances.

We may need to request specific information from you in order to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request.

Please note that we try to respond to all legitimate requests within one (1) calendar month. If this is not possible because the following month is shorter and there is no corresponding calendar date, then the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, we have until the next working day to respond. For example, if we receive your request on Thursday 3 September 2020, we will have until Monday 5 October 2020 to respond, as 3 October 2020 falls on a Saturday. Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated.

If you have any questions at all in relation to this privacy notice or any other matter relating to your personal data, please feel free to Contact Us.

This privacy notice was last updated on 20 June 2022. We may change this notice by updating this page to reflect changes in the law or our data protection practices. We will also inform you of significant changes to this policy and ask for your consent should this be required by law.