What data do we collect ?
At Oui.sncf, we scrupulously follow the principle of "minimisation", meaning that we collect only the data that is strictly necessary to the purposes defined above, namely:
- identification data (name, email address, IP address) : This data is essential for any orders, registration for a customer account or for the security of the sites and transactions of Oui.sncf;
- banking data : This data is essential for any orders or reimbursements. Also, you can register your banking details (except the card security code) in your customer account to facilitate your future purchases;
- data related to your searches and your order (product purchased (destination, date, price,…)) : This data is essential to provide the ordered service and after-sales service;
- data related to your habits and centres of interest (favourite destinations, choice of additional services,…) : This data is useful for making personalised offers;
- contact data (telephone no, email address, postal address) : This data is useful to contact you if required (problem related to your order or a purchased product, travel information) or to send you your train tickets, either to your home or electronically;
- technical data: during browsing, Oui.sncf collects information such as the version of your browser, operating system used or the model of terminal used. This data is necessary for optimal display and functioning of Oui.sncf sites and applications;
- geolocation: the Oui.sncf mobile application includes a geolocation function that can be activated exclusively through consent from you. This data lets us offer you personalised services (closest station/next departure from the nearby station);
- browsing data (searches, number of visits, date of last visit,…) : This data is useful for making commercial offers.
How do we collect the data ?
At Oui.sncf, the sources of data are:
- when you complete forms on the Oui.sncf sites and applications,
- when you browse Oui.sncf sites and applications (pages consulted, duration of consultation of pages),
- when you specifically give your consent (geolocation);
For each of them, you are informed of the data that is necessary and that which is optional, by asterisks on the entry forms.
- the technical information :
- your IP address, the telecoms operator and the macroscopic location of the IP address,
- the information provided by the browser on the operating system and the browser used,
How long is the data retained ?
The data is only kept for periods that are strictly necessary:
- to the implementation of orders;
- to legal and regulatory constraints, notably in matters of dispute management;
- to the provision of personalised services.
The general data retention policy used by Oui.sncf is as follows:
- identification data: three years from the last visit to the site or connection to the service;
- order data: three years from the date of the order;
- bank details:
- either a maximum of 13 months in order to manage the after-sales service (reimbursements),
- or for the period of validity of the bank card in case it is recorded on the customer account;
- prospect data: one year after the date of the last activity on Oui.sncf sites or the last opening of a newsletter;
- connection logs: one year from each connection;
- cookies: 13 months maximum from them being saved on your computer or terminal;
- geolocation data: only for the browsing session.
What resources are used to ensure the security of the data ?
Oui.sncf is particularly vigilant concerning the security of your data and devotes significant human and technical resources to protect it. A strict security policy is in place to define the processes, working methods and rules for technical protection to be used. The security measures used include, but are not limited to:
- automated systems for protection against cyber attacks are active;
- computer code on the OUI.sncf websites is subjected to security reviews;
- automated tools periodically carry out security tests on the websites;
- the security of websites is audited by companies that are experts in the subject;
- personal data of customers is subject to strict access control;
- experts in cyber security can intervene at any time to handle security incidents.