About this privacy notice
This privacy notice has been written to provide you with information about how the London Luton Airport Limited (trading as Luton Rising) (“Luton Rising”, “we”, “us”, “our”) handles or intends to handle personal information relating to passengers using the Luton DART (Direct Air-Rail Transit) and visitors to the site in accordance with the UK General Data Protection Regulation (“UK GDPR”). This notice relates specifically to our collection and use of personal information of passengers using the Luton DART and visitors to the site and website.
About us
We are London Luton Airport Limited, trading as Luton Rising. We are a private limited company (company number 02020381). Our registered office address is Hart House Business Centre, Kimpton Road, Luton, LU2 0LA. We are registered as a data controller with the Information Commissioner’s Office and our registration number is ZA535129.
We aim to process information about you fairly, lawfully, and in a transparent manner. The aim of this notice is to provide you with sufficient information for you to be able to understand what we are doing with your information. If you are unsure how we are handling information about you or you think we could improve our privacy information, please let us know.
Information we collect
We collect and hold a range of information about passengers using the Luton DART and visitors to the site. This includes:
- Contact details such as your name, job title, email address, postal address and telephone number.
- Payment and refund details.
- CCTV images collected via our surveillance systems.
- Car registration number of visitors.
- Details of any complaints you make.
- Records of your correspondence with us, either through our website, telephone, e-mail or post.
- Technical data including your IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
- Your marketing and communications preferences.
- Voice Recording over Radio: In certain situations, we may record voice communications over radio channels for purposes such as security, safety, or operational monitoring.
Sensitive personal information we collect
We may also collect, store and use the following more sensitive types of personal information (known as “special category data”):
- Whether or not you have any accessibility requirements so that we can accommodate visits to the site.
These lists are not exhaustive, as we hold records of most contacts we have with you, or about you, and we process this information so we can manage the Luton DART.
How information is collected
The information we hold will either have been provided by you (e.g. as you interact with us) or be collected by our surveillance systems whilst you use the Luton DART.
Purposes for processing
We have set out below a description of all the ways we plan to use your information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. We may process your information for more than one lawful ground depending on the specific purpose for which we are using your information.
| Purpose/Activity | Type of Information | Lawful Basis for Processing Information |
|---|---|---|
| To maintain the safety and security of the Luton DART for our staff and our passengers | CCTV images | Performance of a legal obligation |
| To detect, prevent and/or reduce crime | CCTV images | Performance of a legal obligation |
| To detect, prevent and/or reduce harassment and disorder | CCTV images | Performance of a legal obligation |
| To manage our relationship with passengers, including responding to correspondence and dealing with complaints | Contact details Complaints details Records of correspondence |
Necessary for our legitimate interests to improve our services |
| To use data analytics to improve our website, services, marketing, passenger relationships and experiences | Technical information | Necessary for our legitimate interests to better understand our passengers and visitors and their use of our services, to keep our website up to date, to develop our business and to inform our marketing strategy |
| To send you our email updates because you have requested us to do so | Contact details Marketing and communications information |
Consent Performance of a contract Necessary for our legitimate interests to develop our products and services and to grow our business |
| To sell tickets and process concessionary orders. | Contact details Payment details |
Performance of a contract |
Purposes for processing – Sensitive personal information
We have set out below a description of all the ways we plan to use your information, and which of the legal bases we rely on to do so
| Purpose/Activity | Type of Information | Lawful Basis for Processing Information |
|---|---|---|
| To ensure your accessibility to our site | Health and medical information | Vital interests Necessary for the purposes of carrying out obligations under the Equality Act 2010 Data Protection Act 2018 Schedule 1 Part 1 Para 1 – necessary for the purposes of carrying out obligations under the Equality Act 2010 |
Payments
PayPal is an independent Controller for the purpose of Processing Customer Data. For further information about the PayPal Privacy Statement please visit braintreepayments.com.
Our marketing communications
Where you have agreed for us to contact you with updates relating to Luton DART, we will send you information we believe might be of interest to you via email or text message (we call this marketing communications).
You can ask us to stop sending you marketing communications at any by following the unsubscribe links on any marketing communications sent to you or by contacting us at any time.
Sharing personal information
Where necessary or required, we may share your personal information as follows:
- With third party service providers, in connection with services performed on our behalf. For example, our email provider, our CCTV provider, our CCTV operators, our platform provider and analytics and search engine providers that assist us in the improvement and optimisation of our website.
- With government bodies and law enforcement agencies.
- With our insurers and legal advisers.
- With the Department for Transport.
- With third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- With data processors to provide or assist with some of our services, for example, the processing of bookings.
- With payment providers to process payments.
This list is not exhaustive as there are other circumstances where we may also be required to share information, for example:
- To meet our legal obligations.
- In connection with legal proceedings (or where we are instructed to do so by Court order).
Our relationships with third party services providers are governed by contractual provisions with us and they only have access to personal information to perform the described purposes and may not use it for other purposes.
Where we store personal information
The personal information that we collect is stored within the UK and European Economic Area (EEA). However, there may be some circumstances where it is necessary to transfer and store personal information at a destination outside the UK or the EEA. In these circumstances, we will take all steps reasonably necessary to ensure that personal information is treated securely and in accordance with data protection law and, in the event that personal information is transferred outside the UK or the EEA, shall ensure that this is carried out subject to the requirements of the UK GDPR.
How long we keep it for
We will only retain personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. For information collected via CCTV, this will be kept for a maximum of 31 days after which point it will automatically be deleted. Some CCTV footage may be retained beyond 31 days if so required for investigative or evidential purposes.
Your rights
Under the UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right of access - You have the right of access to information we hold about or concerning you.
- Right of rectification or erasure - If you feel that any data that we hold about you is inaccurate you have the right to ask us to correct or rectify it. You also have a right to ask us to erase information about you where you can demonstrate that the data we hold is no longer needed by us, or if you withdraw the consent upon which our processing is based, or if you feel that we are unlawfully processing your data.
- Right to restriction of processing – In certain circumstances, you have a right to request that we refrain from processing your data.
- Right of portability – In certain circumstances, you have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller.
- Right to object – In certain circumstances, you have a right to object to our processing of your personal data.
- Right to withdraw consent - In the circumstances where you may have provided consent to the collection, processing and transfer of personal information for a specific purpose has been provided, you have the right to withdraw consent for that specific processing at any time.
Please note, there are some specific circumstances where these rights do not apply and we can refuse to deal with your request.
To exercise any of these rights, please contact Luton Rising’s Data Protection Officer using the contact details below.
Complaints
If you have a concern about the way we are collecting or using personal information, we would ask that you raise your concern with us in the first instance by using the contact details below.
You also have a right to lodge a complaint with the Information Commissioner’s Office (ICO) should you feel that we have not handled your information in line with legislative and regulatory requirements. They can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113 | www.ico.org.uk
Contact Details
For further information on how to request your personal information, exercise any of your data protection rights or request further information in relation to how and why we process your information, you can contact us by emailing the Data Protection Officer at DataProtection@lutonrising.org.uk.
Alternatively, you can write to the Data Protection Officer at the following address: Data Protection Officer
Hart House Business Centre
Kimpton Road Luton
LU2 0LA
Changes to this privacy notice
We may change this privacy notice from time to time. This privacy notice was last updated in February 2025.