Privacy Policy

This Privacy Policy sets out the processes and procedures Limited and Trainline S.A.S (together the “Trainline Group of Companies”) (also referred to as “we”, “us” and “Trainline”) have in place in relation to the collection, use and disclosure of information that candidates provide to us as part of the application process.

By submitting your information (including directly, or indirectly for example through a recruitment agency or online job portal) you note the terms of this Privacy Policy and acknowledge how we collect, use and disclose your personal information and how to exercise your rights. 


Information you provide to us directly

You provide us with personal data, for different purposes at different stages of the application process.  To make thing simple, we have split the key processing areas into sections below.


Application and provisional offer stage:

We process personal data that relates to you for the purposes of:

  • Confirming your identity and right to work;
  • understanding your work history; and 
  • ensuring you have the necessary skills and attributes to successfully perform the advertised role.

For the above purposes, our processing is a necessary for the purposes of entering into a contract for employment.

We collect certain categories of special or sensitive data which pertain to health, disability and protected characteristics in order to provide reasonable adjustments and to comply with our obligations under relevant Equality and Health and Safety Laws.  This information is voluntary to provide and will only be collected on the basis of your explicit consent.

For candidates applying for a job in our London or Edinburgh office ( Limited employment), we may also need to undertake criminal record background and financial probity checks; as applicable and as necessary for the role applied for.  This may involve processing special categories of data relating to active criminal offences and information about your credit score.  We use third party service providers to undertake this activity, listed below, who act as Data Controllers and process information in line with their privacy policies:   

Experian – Privacy Policy

We process this information, where necessary, to enable us to determine your suitability for employment as part of our obligations as an employer.  We ensure that we provide appropriate safeguards by only using third parties who provide suitable assurances and performing these checks only when necessary and relevant to the performance of a role. If you are unwilling to provide this information, then we may not be able to proceed with your offer of employment.


Indirectly provided information

If you have been made a provisional offer, we will need to obtain appropriate references to cover your last three years of employment.  In such circumstances we will need you to provide us with the contact details for referees and will approach those referees for the purposes of validating your work history and skill set thereafter (waiting until you have confirmed you have handed in your resignation to your current employer, where applicable).   This activity is in line with our legitimate interest in verifying your experience.  If you choose not to provide this information, we will not be able to proceed with your application.  


Retention of information

In the event that your application is successful your information will be transferred to your employee file and held in accordance with the privacy policy set out in our Staff Handbook.  In the event that you are made an offer, the Staff Handbook will be made available to you at that time.

If your application is unsuccessful, we may continue to hold your information in our talent pool for future vacancies and/or further applications made by you for a position with us; in line with our legitimate interest of contacting you about future posts that you may be suitable for.  The maximum period we would retain data in respect of unsuccessful applications is two years from the date your application was submitted.  If you would not like us to retain your information to contact you about future posts, please just let us know and we will delete it.  Please note that we may retain pseudonymous and where possible, anonymised statistical information to help inform our recruitment activities.


Sharing of Information

We may share your information within the Trainline Group of Companies and with third party service providers for the purposes of collecting, processing and validating your personal information to support your application.   These service providers will only have access to the personal information needed to perform the relevant service and will not use your personal information for any other purpose. They will also be required to use your personal information strictly in accordance with data protection laws, including maintaining adequate security measures to protect such personal information.  Where any of these service providers are located outside of the EEA, we ensure that suitable safeguards exist and are documented. 



We take the security of your data very seriously. We employ physical, electronic and administrative security measures to protect the information that we collect about you from access by unauthorised and unlawful processing and against accidental loss, destruction and damage.


Access to Personal Information and exercise of your rights

We will comply with the following requests to exercise “individual rights” over personal data we process:

  • to be informed about processing of data;
  • to access data;
  • to prevent or restrict certain processing activities;
  • to rectify inaccurate data; and
  • to request that certain data is deleted.
  • to “port” data (transferring data to another data controller in an easy to read manner); and
  • to object to how we are handling personal data.

We will endeavour to provide a response to individual rights request in a timely fashion.  We legally have up to one calendar month from the date of receipt to respond, (which may be extended in complex or voluminous requests) providing that:

  • you have supplied any information that is reasonably required to confirm your identity and given us clarity about the relevant personal data that you're requesting; and
  • we have not already complied with an identical or similar request within a very short timeframe.

Please note that where we receive a request, we will need to balance your rights against any obligations we have as a Data Controller to process personal data, for example because we have an overriding legal obligation to keep it.  Where we are unable to deal with a request; either in full or in part, we will explain the reasons clearly. 


Who to contact and complain to

Please contact us by emailing us at: or writing to us at: Data Protection Officer, Limited, PO Box 600 6162, Edinburgh, EH11 3YT. Please note that we may require proof of your identity before we can comply with your request. 

If you are applying for a job in our Paris Office, the relevant Data Controller entity is Trainline S.A.S. and the Supervisory Authority who you may complain to is: Commission Nationale de L'informatique et des Libertés: (

If you are applying for a job in any other location, the Data Controller responsible for the processing of your information is and the Supervisory Authority who you may complain to is:  the Information Commissioners Office (