Version 1.1 – 23 October 2020
At Ember, we're committed to keeping your information private and secure. This notice sets out the personal data we collect and what we will do with it.
Who are we?
We are Ember Core Ltd (“we”, “our”, “us”), operating under the name Ember. We're registered with the Information Commissioner's Office under number ZA575885.
You can email us at firstname.lastname@example.org or write to us at Codebase Argyle House, 3 Lady Lawson Street, Edinburgh, EH3 9DR.
What information do we collect?
We may collect and process the following personal data about you:
Information you submit through our website or by any other means – e.g. your email address if you subscribe to a mailing list or the details you enter when purchasing a ticket
Information from a concession card when scanned on board the bus – the exact data can vary from card to card but typically includes your name, gender, date of birth and card type
CCTV footage captured from cameras on board our buses – we have cameras pointing both inside and outside the bus which are recording and may also be monitored live. Recordings are kept for up to 90 days. We do not record audio from these camera
Technical information related to your usage of this site – e.g. your IP address, operating system and browser
Records of communications – e.g. call recordings, emails and chat transcripts
How your information is used
The information we collect and process is currently used to:
Sell and verify tickets: Our lawful basis for using the data in this way is your consent when purchasing a ticket and our legitimate interest in verifying the ticket on boarding. We keep the data on expired tickets so that you are able to see details of your previous journeys, we can manage refunds or other issues and we can understand how our service is being used
Verify concessionary status: Our lawful basis for using the data in this way is our legitimate interest in verifying someone's concessionary status. Without this, we are not eligible to participate in the concessions scheme
Ensure safety and security on our vehicles: Our lawful basis for using the data in this way is our legitimate interest in using data from CCTV to ensure the safety of our drivers, vehicles and passengers. This includes outward facing cameras which may help us to investigate traffic accidents or vandalism
Market our products and services by email: Our lawful basis for using the data in this way is consent. We will only send marketing to people who have opted in and you can always unsubscribe (e.g. by clicking an unsubscribe link in an email)
Track, monitor and analyse how you use products and services we provide: Our lawful basis for using the data in this way is our legitimate interest to use this data to improve our product, manage our business and detect fraud
In some instances, we may use your data in ways that are not described above. However, we will update this notice before doing so.
Who do we share data with?
As well as people working for us, we may disclose your personal data to:
- Companies that provide services to us: This includes email, telecommunications and hosting providers like Amazon Web Services, Google Cloud, Sendgrid and Twilio. We make an effort to minimise the amount of data we share, for instance sharing anonymous IDs rather than names
- Transport Scotland, in order to claim a reimbursement for concessions using our services
- Insurance companies, in the course of making a claim or investigating an incident
- Law enforcement agencies and other third parties, where necessary to meet our legal obligations
- Anyone you give us permission to share the data with
How long we keep your information
We keep most of your data as long as you are using Ember and for up to 6 years after that. In some cases, we may keep the data for longer if it's in our legitimate interest (e.g. for fraud detection) or it's required to comply with the law. CCTV footage is kept for up to 90 days.
Where your data is stored
In some cases, the data we collect from you may be transferred to and stored by countries or organisations outside the European Economic Area (“EEA”). In these cases, we'll make sure that the European Commission says the country or organisation has adequate data protection, or we’ve agreed to standard data protection clauses approved by the European Commission with the organisation. Contact us if you'd like a copy of the relevant data protection clauses.
Your personal data is protected by legal rights, including your rights to:
- Object to, or request a restriction on, our processing of your personal data (for example, you can request that we don’t use your personal data for purposes of direct marketing)
- Request that your personal data is deleted or corrected, although in certain cases we may not be able to do it for legal reasons
- Ask us for a copy of your personal data, inluding in a machine-readable format
- Obtain and reuse certain personal data for your own purposes
- Withdraw any consent that you've given us
For more information or to exercise your data protection rights, please email email@example.com.
How to complain
If you have a question or want to complain about how we've used your personal data, email us at firstname.lastname@example.org. If you're not happy, you also have a right to complain to the data protection supervisory authority in the EU country where you live or work, or where you think a breach happened. The Information Commissioner's Office (ICO) is the UK regulator.
Changes to this notice
We may up date this notice from time to time. Any changes will be posted on this page and, if appropriate, sent to you by email.