1. Introduction
This Privacy Policy explains how Holdham Group collects, uses, stores, shares and protects personal data.

Holdham Group is the trading name of Holdham Rail Solutions Group Limited, a privacy limited company registered in England and Wales under company number 15871995.

Registered office: Bishop Trains, Bob Hardisty Drive, Bishop Auckland, England, DL14 7TL.

In this Privacy Policy, references to "Holdham Group", "Holdham", "we", "us", or "our" mean Holdham Rail Solutions Group Limited and, where the context requires, its subsidiary, associated or group companies.

This Privacy Policy applies when you:
- visit our website;
- contact us;
- make an enquiry;
- subscribe to updates;
- apply for a job;
- interact with us on social media;
- purchase or enquire about tickets, events, services or experiences;
- use services provided by us or a group company;
- engage with us as a supplier, partner, client, contractor, venue, operator, licensor or stakeholder;
- otherwise provide personal data to us.

This Privacy Policy should be read alongside our Legal Notice, Terms of Use, Cookie Policy, Accessibility Statement and any specific terms and conditions applying to a ticket, booking, event, journey, service, contract or transaction.

2. Who is responsible for your personal data?
For the purposes of UK data protection law, including the UK GDPR and Data Protection Act 2018, the controller of your personal data will usually be:

Holdham Rail Solutions Group Limited (T/A Holdham Group)
Bishop Trains
Bob Hardisty Drive
Bishop Auckland
England
DL14 7TL

A controller is the organisation that decides why and how personal data is processed. The Information Commissioner's Office (ICO) explains that organisations must consider their role carefully because obligations differ depending on whether they act as a controller, joint controller or processor.

In some cases, another company within the Holdham Group may be the controller of your personal data. In other cases, we may act as a processor on behalf of another organisation, such as a client, partner, operator, venue, licensor or event organiser.

Where we act as a processor, we process personal data only in accordance with the relevant controller's instructions and the applicable contract.

Where we act as joint controller with another organisation, we will agree responsibilities with that organisation where required by law.

3. Contact details
If you have any questions about this Privacy Policy or how we use your personal data, please contact us through the contact page on this website.

For formal privacy correspondence, please write to:

Data Protection Officer
Holdham Rail Solutions Group Limited
Bishop Trains
Bob Hardisty Drive
Bishop Auckland
England
DL14 7TL

4. Personal data we may collect
We may collect and use different types of personal data depending on your relationship with us.
4.1 Identity and contact details
This may include:
- name;
- title;
- organisation;
- job title;
- postal address;
- email address;
- telephone number;
- social media handle;
- account or customer reference number.
4.2 Enquiry and communication data
This may include:
- information you provide through contact forms;
- emails, letters, messages and call notes;
- details of your enquiry;
- records of correspondence;
- complaints, feedback or requests;
- communication preferences.
4.3 Ticketing, booking and event data
This may include:
- booking details;
- event or journey selected;
- ticket type;
- passenger names;
- accessibility requirements;
- dietary requirements;
- seating preferences;
- transaction references;
- order history;
- customer service records;
- refund, exchange or amendment requests.
We may collect limited special category data where necessary, for example where you voluntarily provide accessibility, medical, dietary or suppport requirements for an event, journey or service.
4.4 Payment and transaction data
This may include:
- payment status;
- transaction reference;
- billing details;
- partial payment card information where provided by a payment processor;
- refund records;
- fraud prevention checks.
We do not normally store full payment card details. Payments are usually processed by thirdp-party payment providers.
4.5 Business, partner and supplier data
This may include:
- business contact details;
- company name;
- role or job title;
- contract details;
- supplier records;
- purchase orders;
- invoices;
- payment details;
- due diligence information;
- insurance, compliance and safety documentation;
- meeting notes;
- commercial correspondence.
4.6 Marketing and preferences data
This may include:
- marketing preferences;
- newsletter subscription status;
- event interests;
- campaign interactions;
- email open and click data;
- social media engagement;
- survey responses;
- preferences about services, events or sectors.
4.7 Website and technical data
This may include:
- IP address;
- browser type and version;
- device type;
- operating system;
- time zone setting;
- pages viewed;
- referring website;
- date and time of visit;
- website usage data;
- cookie identifiers;
- analytics data.
More information should be provided in our Cookie Policy.
4.8 Recruitment data
If you apply for a role with us, we may collect:
- CV;
- covering letter;
- employment history;
- education and qualifications;
- references;
- interview notes;
- right-to-work information;
- salary expectations;
- availability;
- assessment results;
- recruitment correspondence.
We may also process equality monitoring information where provided voluntarily and where lawful.
4.9 Images, video and audio
We may collect or use:
- photographs;
- video footage;
- event images;
- CCTV footage where applicable;
- call recordings where used;
- media content from events, launches or promotional activity.
Where we use photography or filming at events, we will seek to provide appropriate notices and, where required, obtain consent.
4.10 Sensitive or special category data
We may process special category data only where necessary and lawful. This may include:
- accessibility requirements;
- health or medical information relevant to safety or service delivery;
- dietary information that may reveal health or religious information;
- equality monitoring information in recruitment;
- safeguarding-related information where applicable.
We will only process this information where we have a lawful basis and, where required, an additional condition under data protection law.

5. How we collect personal data
We may collect personal data:
- directly from you;
- when you complete a form on our website;
- when you contact us by email, phone, post, social media or online form;
- when you buy or enquire about tickets, services, events or experiences;
- when you subscribe to updates;
- when you apply for a job;
- when you attend an event, meeting or site;
- from group companies;
- from ticketing platforms, payment providers or booking systems;
- from clients, partners, operators, venues, licensors or suppliers;
- from publicly available sources such as Companies House, professional websites or social media;
- from analytics, cookies and similar technologies;
- from third-party marketing, CRM, customer support or business systems.

6. Why we use personal data and our lawful bases
UK data protection law requires us to have a lawful basis for processing personal data. The ICO explains that the lawful basis depends on the purpose and context of the processing, and organisations should record which basis they rely on. We may use personal data for the purposes below.
6.1 To operate and manage our website
We use personal data to:
- provide website access;
- maintain website security;
- monitor performance;
- understand how visitors use the website;
- fix errors;
- improve website content and functionality.
Lawful bases may include:
- legitimate interests;
- consent, where required for non-essential cookies or similar technologies;
- legal obligation, where applicable.
6.2 To respond to enquiries
We use personal data to:
- respond to contact form submissions;
- answer questions;
- provide information;
- manage correspondence;
- route enquiries to the correct team or group company.
Lawful bases may include:
- legitimate interests;
- steps prior to entering into a contract;
- contract;
- legal obligation.
6.3 To provide tickets, bookings, events, journeys and customer services
We use personal data to:
- process bookings;
- issue tickets;
- manage customer accounts or orders;
- provide event or journey information;
- manage seating, accessibility or dietary requirements;
- respond to customer service queries;
- process refunds, exchanges or amendments;
- communicate operational updates;
- manage complaints.
Lawful bases may include:
- contract;
- legitimate interests;
- legal obligation;
- consent, where appropriate;
- vital interests, in an emergency.
Where special category data is processed, additional conditions may include explicit consent, substantial public interest, health and safety, or protection of vital interests, depending on the circumstances.
6.4 To provide B2B services
We use personal data to:
- provide ticketing support;
- manage B2B rail ticketing services;
- provide marketing support;
- deliver customer experience support;
- manage consultancy or commercial projects;
- provide event delivery support;
- manage client relationships;
- deliver contracted services.
Lawful bases may include:
- contract;
- legitimate interests;
- legal obligation.
6.5 To manage suppliers, partners and commercial relationships
We use personal data to:
- manage supplier onboarding;
- negotiate contracts;
- process invoices;
- maintain business records;
- manage insurance, compliance and safety documentation;
- communicate with partners, venues, operators, licensors and contractors;
- carry out due diligence;
- manage disputes.
Lawful bases may include:
- contract;
- legitimate interests;
- legal obligation.
6.6 To send marketing and updates
We may use personal data to:
- send newsletters;
- send event updates;
- promote services;
- invite you to events;
- share company news;
- provide relevant B2B updates;
- measure campaign performance.
Lawful bases may include:
- consent;
- legitimate interests, where permitted by law;
- contract, where communications relate to a service you have requested.
You can unsubscribe from marketing communications at any time by using the unsubscribe link or contacting us.
6.7 To improve our services and customer experience
We use personal data to:
- analyse customer feedback;
- improve customer journeys;
- improve booking flows;
- assess event performance;
- improve marketing and communications;
- develop new services;
- monitor quality and service standards.
Lawful bases may include:
- legitimate interests;
- consent, where required.
6.8 To recruit staff and contractors
We use personal data to:
- assess applications;
- contact candidates;
- arrange interviews;
- carry out recruitment checks;
- assess suitability;
- make offers;
- keep recruitment records;
- comply with employment law.
Lawful bases may include:
- steps prior to entering into a contract;
- contract;
- legal obligation;
- legitimate interests;
- consent, where appropriate.
6.9 To comply with legal, regulatory and safety obligations
We use personal data to:
- comply with company law, tax law, employment law, health and safety law, data protection law and other legal obligations;
- maintain records;
- respond to lawful requests;
- manage incidents;
- protect passengers, customers, staff and visitors;
- support insurance claims;
- cooperate with regulators or authorities.
Lawful bases may include:
- legal obligation;
- legitimate interests;
- vital interests;
- public task, where applicable;
- contract.
6.10 To protect our business, people and rights
We use personal data to:
- prevent fraud;
- protect systems and premises;
- manage disputes;
- enforce contracts;
- protect intellectual property;
- investigate misuse;
- manage legal claims;
- protect staff, customers and partners.
Lawful bases may include:
- legitimate interests;
- legal obligation;
- contract;
- vital interests, in emergencies.

7. Legitimate interests
Where we rely on legitimate interests, we consider whether our interests are overridden by your rights and freedoms.

Our legitimate interests may include:
- operating and improving our business;
- responding to enquiries;
- managing commercial relationships;
- providing customer support;
- promoting relevant services to business contacts;
- improving website performance;
- preventing fraud and misuse;
- protecting our legal rights;
- maintaining security;
- developing services;
- managing events and operations;
- ensuring effective group administration.

You have the right to object to processing based on legitimate interests in certain circumstances.

8. Marketing communications
We may send marketing communications where you have consented or where we are otherwise permitted to do so by law.

Marketing communications may include:

- newsletters;
- event announcements;
- service updates;
- rail ticketing updates;
- marketing support offers;
- invitations;
- group news;
- relevant commercial updates.

You can opt out of marketing communications at any time.

We will not sell your personal data to third parties for their own marketing purposes.

9. Cookies and analytics
Our website may use cookies and similar technologies to:

- make the website work;
- remember preferences;
- understand website usage;
- improve performance;
- support analytics;
- support marketing or advertising, where enabled.

Non-essential cookies should only be used where permitted by law and, where required, with your consent.

More information should be set out in our Cookie Policy.

10. Who we share personal data with
We may share personal data with:
- companies within the Holdham Group;
- ticketing platforms;
- payment providers;
- customer service platforms;
- email marketing platforms;
- CRM providers;
- website hosting providers;
- IT and cybersecurity providers;
- analytics providers;
- professional advisers, including lawyers, accountants, insurers and consultants;
- rail operators;
- venues;
- licensors;
- event partners;
- suppliers and contractors;
- delivery and fulfilment partners;
- recruitment platforms;
- payroll, HR or employment service providers;
- regulators, authorities, courts, law enforcement bodies or public agencies where required or permitted by law;
- potential purchasers, investors, funders or restructuring parties in connection with business transactions.

We require service providers to handle personal data securely and only for authorised purposes.

11. International transfers
Some of our suppliers, systems, platforms or partners may process personal data outside the United Kingdom.

Where personal data is transferred outside the UK, we will take steps intended to ensure that appropriate safeguards are in place, such as:

- adequacy regulations;
- standard contractual clauses;
- international data transfer agreements;
- transfer risk assessments;
- other lawful transfer mechanisms.

12. How long we keep personal data
We keep personal data only for as long as necessary for the purposes for which it was collected, including for legal, regulatory, accounting, reporting, operational, safety, insurance and dispute resolution purposes.

Retention periods may vary depending on the type of data and the context.

Examples:
- general enquiries may be kept for a reasonable period after the enquiry is resolved;
- customer booking records may be kept for the period needed to manage the booking and meet legal or accounting obligations;
- financial records may normally be kept for at least six years;
- recruitment records for unsuccessful candidates may usually be kept for a limited period after the recruitment process;
- supplier and contract records may be kept for the duration of the relationship and a reasonable period afterwards;
- marketing preferences may be kept until you unsubscribe or ask us to remove them;
- legal, safety, insurance or dispute records may be kept for longer where necessary.

When personal data is no longer needed, we will delete, anonymise or securely archive it.

13. How we protect personal data
We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure or destruction.

These may include:
- access controls;
- password protection;
- multi-factor authentication;
- staff training;
- secure systems;
- supplier due diligence;
- data minimisation;
- internal policies;
- backup and recovery measures;
- incident management processes;
- confidentiality obligations.

No system can be guaranteed to be completely secure, but we take reasonable steps to protect personal data.

14. Your data protection rights
Under data protection law, you may have the following rights:
- the right to be informed about how your personal data is used;
- the right of access to your personal data;
- the right to rectification of inaccurate personal data;
- the right to erasure in certain circumstances;
- the right to restrict processing in certain circumstances;
- the right to data portability in certain circumstances;
- the right to object to processing in certain circumstances;
- rights relating to automated decision-making and profiling;
- the right to withdraw consent where processing is based on consent.

The ICO explains that individuals have the right to access and receive a copy of their personal data, commonly known as a subject access request, and that organisations should usually respond without delay and within one month.  

To exercise your rights, please contact us using the details in this Privacy Policy.

We may need to verify your identity before responding to a request.

15. Withdrawing consent
Where we rely on consent to process your personal data, you may withdraw that consent at any time.

Withdrawing consent will not affect the lawfulness of processing carried out before consent was withdrawn.

You can withdraw marketing consent by using the unsubscribe link in our emails or by contacting us.

16. Automated decision-making and profiling
We do not currently intend to make decisions about individuals based solely on automated processing that produce legal or similarly significant effects.

We may use limited profiling or segmentation for marketing, analytics, customer experience or service improvement purposes, such as understanding customer interests or campaign performance.

Where required by law, we will provide further information and safeguards.

17. Children’s personal data
Some of our events, experiences or services may involve children or families.

Where we process children’s personal data, we will do so only where lawful and appropriate, and we will take steps to protect children’s privacy.

For bookings involving children, personal data is usually provided by a parent, guardian or responsible adult.

We do not knowingly use children’s personal data for direct marketing without appropriate consent or legal basis.

18. CCTV, photography and filming
Where CCTV is used at premises, stations, events or offices under our control, it will be used for purposes such as safety, security, crime prevention, incident management and operational oversight.

Where photography or filming takes place at events, launches, media activity or promotional activity, notices may be displayed or information may be provided in advance where appropriate.

If you have concerns about photography or filming at an event, you should contact a member of staff or contact us using the details in this Privacy Policy.

19. Social media
If you interact with us on social media, the relevant social media platform may also process your personal data under its own privacy policy.

We may process information you provide through social media for purposes such as responding to messages, managing enquiries, monitoring engagement, handling complaints and promoting our services.

You should review the privacy settings and privacy notices of the relevant social media platforms.

20. Links to other websites
Our website may contain links to third-party websites, booking platforms, payment providers, social media platforms or partner websites.

We are not responsible for the privacy practices, security or content of third-party websites or services.

You should read the privacy policy of any external website or service you use.

21. Complaints
If you are unhappy with how we use your personal data, please contact us first so that we can try to resolve the issue.

You also have the right to complain to the Information Commissioner’s Office, the UK supervisory authority for data protection.

Information Commissioner’s Office
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

The ICO explains that privacy information should tell people how they can complain if they have concerns about the way their information is being used.  

22. Changes to this Privacy Policy
We may update this Privacy Policy from time to time.
Any changes will take effect when the updated Privacy Policy is published on this website.
You should check this page periodically to ensure that you understand how we use personal data.

23. Contact us
For privacy enquiries, please contact us through the contact page on this website.
For formal privacy correspondence, please write to:

Data Protection Officer
Holdham Rail Solutions Group Limited
Bishop Trains
Bob Hardisty Drive
Bishop Auckland
England
DL14 7TL