If you use Oyster for travel please see our Oyster privacy page.
Contactless payment methods can include bank/credit cards, mobile phone applications, key fobs, wristbands, payment stickers and tags. Please see What is a contactless payment card to find out more.
Signing up for a customer account is optional for all users of contactless payment for travel. If you are a registered customer, the personal information we will hold includes:
The details of a contactless payment card are encrypted and stored in accordance with payment card industry security standards. Where TfL asks for the three digit CVV or CSV code from the reverse of your card, this is for validation/verification purposes only and helps us to check with your card issuer the card has not been reported lost or stolen. The code is deleted immediately after this process is completed.
TfL's ticketing system records the location, date and time a contactless payment card is used to make a journey on TfL's network or affiliated National Rail services on which contactless payment is accepted.
If you telephone Customer services your call will be recorded for training and quality purposes.
If you sign in to your online web account, TfL will collect the IP address used by your computer for the purpose of fraud prevention and detection.
TfL and the companies that process personal information on our behalf use your personal information for customer services and administration, customer research, fraud prevention and to provide you with travel related information.
We will only send you information about TfL's offers and promotions if you choose to receive it and you can change your marketing preferences at any time. TfL will not pass your personal information to any other organisation for marketing purposes without your prior consent.
If you use contactless payment for travel without signing up for an online account, we will hold the payment card details and journey data in the same way as outlined above, so we can deal with your queries about refunds and transactions. However, no other personal information (eg your name or address) will be linked to your card.
We retain data about the individual journeys made using contactless payment for 13 months after the card is used. This is the case whether or not you have added the card to an online account. After this time, the journey data in the ticketing system is disassociated from your payment card (ie anonymised). This 13 month period is necessary because the details of your journey and payment cannot be separated and, like other retailers, TfL has to retain this transaction data in accordance with financial service industry regulations.
You have the option to disassociate a contactless payment card from your online account at any time. If you ask us to do this, details of the card will also be disassociated from your other personal information.
IP addresses collected when you access your online account are retained for 13 months.
We take the privacy of our customers very seriously and a range of robust policies, processes and technical measures are in place to control and safeguard access to, and use of, personal information associated with contactless payment.
TfL has contracts with a number of third party service providers, which provide the majority of the administration and 'back office' services that ensure the efficient day-to-day operation of our electronic ticketing systems.
If you use your contactless payment card on National Rail services, TfL may share your personal data with the relevant train operating companies for the same purposes that we process your data. Where you have agreed to receive marketing messages from train operating companies, we will pass them your contact details.
TfL will not share the details of individual journeys with your bank or credit card provider. These transactions will appear on your bank or credit card statement in the same way as any other purchase made using that card.
From time to time TfL or other organisations (such as your bank or credit card provider) may want to offer you the opportunity to participate in offers, promotions or fundraising initiatives linked to the use of contactless payment on TfL services. If this involves sharing information such as the details or cost of a journey you've made, TfL (or that other organisation) will always seek your prior consent.
In some circumstances, disclosures of personal data to the police (and other law enforcement agencies) are permitted by the Data Protection Act 1998 (DPA), if they relate to the prevention or detection of crime and/or the apprehension or prosecution of offenders. Before any such disclosure takes place, the police are required to demonstrate that the personal data concerned will assist them in this respect. Each police request to TfL is dealt with on a strictly case-by-case basis to ensure that any such disclosure is lawful and in accordance with the DPA.
TfL and its service providers currently process personal information relating to contactless payment within the United Kingdom and the USA. Any such processing is subject to appropriate contractual safeguards and carried out in accordance with the requirements of UK and EU privacy legislation.
If you are a registered customer, you can see your journey history and other information by signing into your TfL online account.
Unregistered customers can access the last seven days journey history online, or can request a copy by calling Customer services. You will be required to verify your card information and identity each time you access this service.
For access to other personal information please see the section on 'Subject Access requests' in Access your data.
Transport for London (TfL), its subsidiaries and service providers, will use your personal information for the purposes of customer services and administration, the provision of travel related information, customer research and fraud prevention. If you use your contactless payment card in connection with National Rail products or services, you will also be authorising TfL to share your personal information with relevant Train Operating Companies (TOCs) so that they can use it for the same purposes. Your personal information will be properly safeguarded and processed in accordance with the requirements of the Data Protection Act 1998.
In certain circumstances, TfL and relevant TOCs may also share your personal information with the police and other law enforcement agencies for the purposes of the prevention or detection of crime.
Transport for London (TfL), its subsidiaries and service providers, will use your personal information for the purposes of providing you with journey and charging history associated with your contactless payment card and to respond to any targeted/specific enquiries you may have regarding the use of your contactless payment card to pay for travel.
If you do not sign up for a TfL online account, you will be required to enter your contactless payment card number, expiry date, card security code and billing address on each occasion you wish to access the last seven days of journey and charging data. TfL will use the information you provide to carry out an authorisation check with your card issuer and will not use or retain it for any other purpose.
Your personal information will be properly safeguarded and processed in accordance with the requirements of the Data Protection Act 1998.