Skip to main content

Privacy Policy

VA RAIL LIMITED provides Franchise Bidding, Passport Applications, Market Development, Performance Improvement, Alliancing, Programme Management, Digital Railway and Engineering Review Panels – as well as helping innovative tech start-ups to break into the rail industry.

VA RAIL LIMITED’s clients include local and national government departments, transport operators, owning groups, regulators, technology companies and key suppliers in the UK and Europe.

If you have any questions about VA RAIL LIMITED’s use of a data, please contact our Data Privacy contact or telephone: 07802 549727

This Data Privacy Notice explains how VA RAIL LIMITED controls, processes, handles and protects any personal data, whilst browsing on or using this website including your rights under UK current laws and regulations including the General Data Protection Regulation (GDPR).

Personal Information collected

We may collect the following personal information:

  • Technical information: We may collect technical information about the hardware and software that you are using to access this site such as browser type, browser version, operating system, device type, MAC address, unique identifiers and mobile network information;
  • Online data: data about your visit to this website to, through and from our website (including date and time), information about your network including about devices, nodes, configurations, connection speeds and network application performance; pages viewed or searched for, page response times, download errors, length of visits and interaction information (such as scrolling, clicks, mouse-overs) and whether you click on particular links or open our emails;
  • Contact information: your name, position, nature of your professional role, organisation, telephone and mobile phone number, email and postal address;
  • Business information: data relating to matters on which we engage in business with you in which you are identified, including information about you and your company as a client or supplier of goods or services to us;
  • Information about you already published on public sources: e.g. professional networks, directories or internet publications and social media platforms;
  • Subscriptions/events: your details relating to receiving our updates and newsletters as well as consent preferences to help us identify which of our materials you are interested in receiving and events and social occasions you may wish to join;
  • Information at our business premises: to sign you in and record your attendance at our offices and those of our clients for security and fire safety purposes;
  • Special categories of personal data: such as dietary requirements and disability or special access requirements for events, travel and meeting arrangements so that we can better serve your needs;
  • Criminal record data: where legally permissible and relevant/appropriate.

Sources of information

We source this information either

  • by you providing it to us;
  • by obtaining it from third parties, including your own organisation and information providers who assist us with our legal obligations to conduct anti-money laundering and regulatory checks; or
  • by creating it ourselves in the course of commercial activities during our engaging in business with you.

How we use your personal data

We use your personal data for the following purposes:

  • Service provision: providing our consulting services to clients and capturing and monitoring their feedback to improve our quality management;
  • Relationship management and marketing: managing and administering our relationship with you and your organisation including keeping records about business contacts and so that we can maintain and improve the quality of our offering for our clients and include you in emails, newsletters and other messages to keep you informed about our services and industry insights;
  • Events: organising social events, briefings and other events;
  • Regulatory: in compliance with legal and regulatory obligations and best practice including auditing and reporting requirements, money laundering regulation and client conflict of interest;
  • Website monitoring: to check that our website and other technology services are being used appropriately and to optimise their functionality;
  • Premises security: to provide security to our premises and monitoring attendance for health and safety purposes;
  • Online security: protecting our information assets from unauthorised access or usage and to monitor for malware and other security threats;
  • Managing suppliers; and
  • Legitimate interest: to pursue the legitimate business interests listed in the ‘Legitimate Interests’ section of this Data Privacy Notice below.

Why we use your personal data

We are able process your personal data because: –

  • you have given us consent to do so; or
  • it is necessary to comply with legal or regulatory obligations; or
  • it is necessary to our legitimate business interests or those of our clients and does not override any interests or rights that you have as an individual. Our legitimate interests are listed below.

Legitimate interests

We have legitimate business interests in:

  • providing consulting services;
  • managing our business including the financial and regulatory aspects of it;
  • maintaining and developing our relationship with our clients and the wider industry including understanding how our clients use our service and capturing their feedback on our services;
  • improving our services and offerings;
  • enforcing our terms of engagement and other terms and conditions;
  • ensuring our premises and online systems are secure;
  • managing our supply chain; and
  • developing relationships with business partners.

Our reasons for using special category information

What is special category personal information?

Special category personal information is sensitive data such as your racial and ethnic origin and information relating to disabilities, religious beliefs or sexual orientation, health information and data relating to criminal convictions. We may process this data where: –

  • we have your explicit consent for that instance of processing the data;
  • it is necessary to protect your vital interests or those of another person: for example, in a medical emergency;
  • you have made such data public for example, by publishing or posting it on social media; and
  • for substantial public interest: for example, to prevent or detect unlawful acts.

With whom do we share your personal data?

  • VA RAIL LIMITED staff and associates conultants in order to provide legal services;
  • Suppliers: who supply our business needs (including in relation to IT and communication, apps and social media support, printers and outsourced legal and financial professional advisers) and whose work meet minimum standards as to data security under GDPR;
  • Law enforcement bodies and regulators;
  • Appropriate parties in the event of emergencies: in particular to protect the health and safety of our clients, staff and consultants;
  • Your company or organisation: in relation to us providing consulting services; and
  • Other guests and delegates: in relation to circulated attendee list for events where you have responded to an invitation from us.


Personal data about third parties

You must ensure that you have obtained the consent of all third parties (customers, employees, directors etc.) about whom you share data with us and that you have given them appropriate notice of that disclosure.

Data Security

We will hold your information securely in line with our physical, technical and administrative security processes. Although we will take reasonable measures to protect your personal information, we cannot guarantee the security of your information transmitted via the internet.

Where will your information be held?

VA RAIL LIMITED offers consulting services in the UK and Europe. Your personal data may therefore be transferred by us out of the EU. If we do so, we will use reasonable endeavours to protect your information in line with locally applicable data protection requirements.

How long do we keep your data?

We will retain your information as necessary to comply with legal, accounting or regulatory requirements and as needed to provide our consulting services.

Your Rights

You have certain rights in relation to your personal data held by VA RAIL LIMITED although

some of these rights will only apply in certain circumstances. If you would like to exercise, or discuss, any of these rights, please contact the relevant Data Privacy contact as listed in this Policy above. You have the following rights: –

  • Access: you are entitled to request access to your personal data and to receive a copy of the personal data we hold about you and other information. VA RAIL LIMITED will handle subject access requests in accordance with GDPR.
  • Correction: you are entitled to request that VA RAIL LIMITED corrects any incomplete or inaccurate personal data we hold about you;
  • Erasure: you are entitled to ask us to erase or remove personal data in certain circumstances. There are also certain exceptions where we may refuse a request for erasure, for example, where the personal data is required for compliance with law;
  • Restriction: you are entitled to ask us to restrict and suspend the processing of certain of your personal data whilst you make enquiries under you other rights set out here;
  • Transfer: you may request us to transfer certain of your personal data to another party;
  • Objection: where we are processing your personal data based on a legitimate interest (or those of a third party) and you decide to challenge this; and
  • Withdrawal of Consent: where we are processing personal data with consent, you can withdraw your consent.

If you want to exercise any of these rights, please contact the Data Privacy contact set out in this Data Privacy Notice above in writing.

You also have a right to lodge a complaint in the jurisdiction where you are resident, where an alleged infringement of Data Protection law has taken place or, in the UK, you can make a complaint to the Information Commissioner’s Office (Tel: + 44 (0) 303 123 1113 or at .


Direct Communications

We reserve the right to use the information you give us on our website or by other means for direct marketing purposes to send emails, newsletters and other material to inform you of VA RAIL LIMITED events and industry insights and our services that we think may interest you.

You can opt-out of receiving these communications from us at any time by contacting the VA RAIL LIMITED Data Privacy contact named above.


Links to third party websites

Our website, any newsletters, email updates and other communications may, from time to time, contain links to and from third party websites. The personal information that you provide through these websites is subject to the privacy arrangements for those websites and we cannot be responsible for it.

Changes to this Notice

We reserve the right to change this notice from time to time as we are committed to improving our processes.