Customer Privacy Policy

At Ember, we're committed to keeping your information private and secure. This notice sets out the personal data we collect on you as a customer or website user and what we will do with it. If you are an employee or job applicant to Ember, you should also review our Employee Privacy Policy and Candidate Privacy Policy.

Who are we?

We are Ember Core Ltd, a company registered in Scotland under company number SC633049 and registered office at Argyle House, 3 Lady Lawson Street, Edinburgh, Scotland, EH3 9DR (“we”, “our”, “us”), operating under the name Ember. We're registered with the Information Commissioner's Office under number ZA575885. We are the controller responsible for deciding how we hold and use personal information about you.

You can email us at it@ember.to or write to us at our registered office at Argyle House, 3 Lady Lawson Street, Edinburgh, EH3 9DR.

What information do we collect?

Personal data means any information about an individual from which that person can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes full name, username or similar identifier, marital status, title, date of birth and gender.
• Contact Data includes billing address, delivery address, email address and telephone numbers.
• Financial Data includes bank account and payment card details.
• Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
• Profile Data includes your username and password, purchases or orders made by you, your interests, preferences feedback and survey responses.
• Usage Data includes information about how you interact with and use our website, products and services.

We also collect, use and share aggregated data such as statistical or demographic data which isn’t personal data as it doesn’t directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

How is your personal data collected?

We use different methods to collect data from and about you including through:

Your active interactions with us

You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

• apply for our products or services
• create an account on our website
• subscribe to our service or publications
• enter a competition, promotion or survey
• give us feedback or contact us

Contact, Financial and Transaction Data is collected from providers of technical, payment and delivery services, such as Stripe.

Your passive interactions with us

As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. This is explained further in our cookies policy.

Third parties or publicly available sources

We may receive personal data about you from various third parties and public sources, such as Google and social media. This may happen if you contact us via social media platform or the police send us information on missing persons. In some cases, we may also collect identity and contact data from sources such as Companies House or the Electoral Register based inside the UK.

How your information is used

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

Performance of a contract with you

Where we need to perform the contract we are about to enter into or have entered into with you.

Legitimate interests

We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience.

We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We don’t use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Legal obligation

We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.

Consent

We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

Purposes for which we will use your personal data

We have set out a description of all the ways we plan to use the various categories of your personal data, and which legal bases we rely on. This is so we can:

Register you as a new customer

We use your Identity Data and Contact Data. Our legal bases for using the data in this way is the performance of a contract you and necessary for our legitimate interests (to enable us to register your account and enable you to use our products and services).

Process and deliver our services to you

This includes enabling you to purchase a ticket (see below), and recording calls, emails and chat transcripts. In this case we use your Identity Data, Contact Data, Financial Data and Transaction Data. Our legal bases for using the data in this way are performance of a contract, and necessary for our legitimate interests (to enable us to deliver our services to you and for us to be able to review past conversations).

Sell and validate tickets

We use your Identity Data, Contact Data, Financial Data, and Profile Data. Our legal bases for using the data in this way is the performance of a contract when purchasing a ticket and necessary for our legitimate interest in validating the ticket onboard. We keep the data on expired tickets so that you are able to see details of your previous journeys, we can manage refunds or other issues and we can understand how our service is being used.

Keep you updated on your journey

This includes emailing you a ticket at the point of purchase and contacting you by phone, email or SMS in case of delays, changes or cancellations to your service. We may also contact you after your journey to resolve any issues (e.g. about lost property or a cleaning fee). We therefore use your Identity Data, Profile Data, Financial Data and Profile Data. Our lawful bases for using the data in this way is performance of a contract and necessary for our legitimate interest in providing you with relevant information related to the journey you have booked.

Verify concessionary status

We use your Identity Data, Contact Data and Profile Data. Our lawful basis for using the data in this way is necessary for our legitimate interest in verifying someone's concessionary status. Without this, we are not eligible to participate in the concessions scheme.

Ensure safety and security on our vehicles

CCTV footage is captured from cameras onboard our buses and within bus terminals for a variety of reasons, including security, safety and crime prevention. Please refer to the dedicated section below on our use of CCTV and how we process your personal data.

Manage our relationship with you

This includes notifying you of changes to our terms, this notice or our cookies policy, and dealing with any requests, complaints and queries. We use your Identity Data, Contact Data and Profile Data. Our legal bases for using the data in this way are the performance of a contract, necessary to comply with a legal obligation, and necessary for our legitimate interests (to keep our records updated and manage our relationship with you).

Manage your entry in a prize draw or competition and collect survey responses

We use your Identity Data, Contact Data, Profile Data and Usage Data. Our legal basis for using the data in this way is performance of a contract with you or necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business).

Administer and protect our business and this website

This includes troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data. We use your Identity Data, Contact Data and Technical Data. Our legal bases for using the data in this way are necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) and necessary to comply with a legal obligation.

Deliver relevant website content and measure or understand the effectiveness of the content

We use your Identity Data, Contact Data, Profile Data, Usage Data and Technical Data. Our legal basis for using the data in this way is necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy), to improve our product, to manage our business and to detect fraud.

Improve our website, products, services, customer relationships and experiences and to measure the effectiveness of our communications

We use your Technical Data and Usage Data. Our legal basis for using the data in this way is necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).

Children's personal data

Our website and services are intended for use by individuals of all ages, including children. We do collect limited personal data from children, such as when selling children's tickets and within onboard CCTV footage. We will collect only as much personal data as is necessary for providing our services. If we become aware that we have collected personal data from a child beyond what is necessary for providing our services, we will promptly delete that data. If you believe we have collected personal data from a child inappropriately, please contact us at it@ember.to

Who we share data with

As well as people working for us, we may disclose your personal data to:

• Companies that provide services to us: This includes email, telecommunications and hosting providers like Amazon Web Services, Google Cloud, Sendgrid and Twilio. We make an effort to minimise the amount of data we share, for instance sharing anonymous IDs rather than names
• Transport Scotland, in order to claim a reimbursement for concessions using our services
• Insurance companies, in the course of making a claim or investigating an incident
• Law enforcement agencies and other third parties, where necessary to meet our legal obligations
• Anyone you give us your express consent to share the data with
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We don’t allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

How long we keep your information

We keep most of your data as long as you are using Ember and for up to 6 years after that. In some cases, we may keep the data for longer if it's in our legitimate interest (e.g. for fraud detection) or it's required to comply with the law. CCTV footage is kept for up to 90 days.

Where your data is stored and where it is transferred

In some cases, the data we collect from you may be transferred to and stored by countries or organisations outside the UK or the European Economic Area (“EEA”), such as third-parties we use to provide our services.

In these cases, we'll make sure that the European Commission says the country or organisation has adequate data protection, or we’ve agreed to an international data transfer agreement approved by the European Commission with the organisation. Contact us if you'd like a copy of the relevant data protection clauses.

How your data is protected

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They’ll only process your personal data on our instructions and they’re subject to a duty of confidentiality. We’ve put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we’re legally required to do so.

How we use CCTV

We use CCTV cameras onboard our buses to ensure the safety and security of our passengers, drivers, and vehicles. As such, we will be using your Identity Data. The following points outline how we handle, process and controll access to CCTV footage.

Purpose

Our CCTV cameras are used to monitor the safety and security of our passengers and staff, as well as to protect our vehicles. This includes monitoring for security incidents, investigating accidents, and preventing vandalism. These cameras are positioned both inside and outside the bus, recording footage but not audio.

Children

Our CCTV system may capture footage of children using our services. We are committed to protecting the privacy and personal data of all passengers, including children. The footage involving children is handled with the same level of care and security as all other CCTV data.

Data retention

CCTV footage is retained for up to 90 days. After this period, the footage is automatically deleted unless it is needed for an ongoing investigation or to comply with a legal obligation.

Access and security

Access to CCTV footage is strictly controlled and limited to authorised personnel only. We ensure that the footage is securely stored and handled in accordance with our data protection policies and applicable laws.

Rights of individuals

Individuals, including parents or guardians of children captured on CCTV, have the right to request access to the footage, seek rectification of any inaccuracies, or request erasure of the footage, subject to certain legal exceptions. This is further explained in this notice under ‘Your rights’.

Lawful bases

Our lawful bases for processing CCTV footage, including footage that may feature children, are:

• Necessary for our legitimate interests. It is necessary for our legitimate interests to monitor our buses for security and safety purposes to protect all passengers and staff.

• Legal obligation. We have a legal obligation to ensure the safety of our drivers, vehicles, and passengers, which justifies the use of CCTV footage.

By implementing these measures, we aim to protect the privacy of all passengers while ensuring the safety and security of our services.

Marketing

Direct marketing

We don't opt you in to any marketing and don't ask you to opt-in as part of making a purchase.

Third-party marketing

We will not share your personal data with any third party for their own direct marketing purposes.

Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We don’t control these third-party websites and so we’re not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Your rights

Your personal data is protected by legal rights, including your rights to:

• Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we’re lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Please do note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which we will notify you of, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
• Request the transfer of your personal data to you or to a third party. We’ll provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
  • If you want us to establish the data's accuracy
  • Where our use of the data is unlawful but you don’t want us to erase it
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it

You won’t have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data isn’t disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we’ll notify you and keep you updated.

For more information or to exercise your data protection rights, please email it@ember.to.

How to complain

If you have a question or want to complain about how we've used your personal data, email us at it@ember.to. If you're not happy, you also have a right to complain to the data protection supervisory authority in the EU country where you live or work, or where you think a breach happened. The Information Commissioner's Office (ICO) is the UK regulator.

Changes to this notice

We may update this notice from time to time. Any changes will be posted on this page and, if appropriate, sent to you by email.