This Privacy Policy applies to SBB AG.

Protecting your privacy means a lot to us. We respect your identity and privacy and ensure that they are protected and that your personal data is processed in accordance with the applicable laws.

Personal data includes all the details and information that refer to a specific or identifiable person. In addition to contact details such as your name, telephone number, address and e-mail address, this also includes other details you provide us with, such as your date of birth. 

This Privacy Policy is our way of informing you which of your data we process, why we require this data and how you can object to your data being collected. 

When we refer to the processing of your personal data in this Privacy Policy, we mean all the ways in which your personal data is handled. This includes data storage, processing, use, deletion, etc.

Who is responsible for data processing? 

SBB AG is responsible for processing your data.

Please do not hesitate to contact our in-house data protection officer, Mr Claudius Ettlinger, if you have any questions or comments regarding data protection. You can either write to him by post:

SBB AG
Data protection officer
Hilfikerstrasse 1
CH-3000 Bern 65

or by e-mail: datenschutz@sbb.ch.

Why do we collect personal data?

We know how important it is to you that your personal data is handled carefully. Data is only ever processed for specific purposes. This could be out of technical necessity or due to contractual requirements, legal provisions, overriding interest, i.e. for legitimate reasons, or if you have granted your express consent. We collect, store and process personal data where necessary. This includes for the purposes of managing customer relationships, providing our products and services, processing orders and contracts, making sales and issuing invoices, responding to questions and concerns, preparing information on and marketing our products and services, assisting with technical issues and evaluation and further developing products and services.

What data is collected when services are purchased?

For contractual reasons, we require personal data for online orders and the purchase of certain products and services in order to carry out our services and to conduct the contractual relationships concluded in this connection. This is the case for travelcard purchases, for example.

When services are purchased, we collect (depending on the product or service) the following data, among others: 

• The gender, name and e-mail address of the passenger or person buying the service
• Other details such as postal address and date of birth
• The type of product or service being purchased
• The place of departure and destination
• The purchase and travel date or period of validity or departure time
• The price
• The purchasing channel (Internet, machine, counter, etc.) and place of purchase

What data is processed for marketing purposes?

Unless you object, we will use the following for marketing purposes: your customer data (e.g. name, gender, date of birth, address, customer number, e-mail address), your contractual and travelcard data, details of single tickets or other services you have purchased and your click patterns on our website or in e-mails.

We evaluate this data in order to send or show you the most relevant information and offers possible (by e-mail, letter, text message, push notifications in the app and personalised teasers on our website, or in person at the counter). Furthermore, we only use data which we can assign to you, e.g. because you have identified yourself or signed into sbb.ch with your SwissPass login and purchased a ticket. We also use methods that predict potential future purchasing patterns based on your current purchasing patterns. 

Each time you receive information and offers for marketing purposes, you have the option to unsubscribe from further messages. For example, every e-mail has an unsubscribe link via which you can unsubscribe from further messages with one click. If you have a SwissPass login, you can sign in to sbb.ch at any time to manage your settings under “Offers and advertising” to decide which marketing news you receive. You can also subscribe or unsubscribe at any counter or by calling the SBB Contact Center (0848 44 66 88 / CHF 0.08/min.).

What data can be processed for marketing purposes?

We carry out regular market research in order to continuously improve the quality of our services and offers. This may mean that we use your contact details for online surveys. If you would not like to take part in these surveys, you can opt out here or by e-mail to unsubscribe@sbb.ch.

Registering at swisspass.ch.

If you wish to make full use of our websites and apps, you will need to set up a user account. To do so, you will need to provide the following data:

• Name
• Date of birth
• Address
• E-mail address

When using single sign on (SSO), your login, customer and service data (name, date of birth, address, e-mail address for correspondence, e-mail address login, data on the valid service) is shared between the central login infrastructure of the public transport association, the partner platform and us as part of the authentication process.

What data is processed when our websites are used?

You can visit our websites without having to provide any personal information as a matter of principle. When you visit our websites, our servers temporarily store each access in a log file. The following technical data is collected in the process and stored until it is automatically deleted after seven months at the latest:

• IP address of the computer requesting access
• The date and time of access
• The website from which our website is being accessed, including the search term where applicable
• The name and URL of the file being requested
• Any search queries performed (timetable, webpage’s general search function, products, etc.)
• The operating system on your computer (provided by the user agent)
• The browser you are using (provided by the user agent)
• The type of device when accessed via mobile phone 
• The transmission protocol being used 

This data is processed and collected for the purposes of system security and stability and for analysing errors and performance as well as for internal statistical purposes. It enables us to optimise our website.

The IP address is also used to set the default language on the website. The IP address is also analysed together with other data when there is an attempt to access the network infrastructure or in the event of other unauthorised or improper use of our websites for information and defence purposes and, where applicable, is used for the purposes of identification during criminal proceedings and in civil and criminal procedures against the data subject. 

Finally, when you visit our websites, we use cookies and other applications and tools which are based on cookies. You can find further details below in this Privacy Policy.

SBB does not accept any guarantee for compliance with data protection regulations for external websites that are linked to SBB websites.

What are cookies and when are they used?

We use cookies in certain cases. Cookies are small files that are stored on your computer or mobile device when you visit or use our websites. Cookies store certain settings via your browser and data about the exchange with the website via your browser. When a cookie is activated, it can be given an identification number via which your browser is identified and via which the information contained in the cookie can be used. You can set up your browser so that a warning appears on your screen before a cookie is stored. You can also opt out of the benefits of personalised cookies, which will mean you cannot use certain services.

How are tracking tools used?

We use the web analytics services run by AT Internet, Google Analytics and other third parties for the purposes of designing and continuously optimising our websites, apps and e-mails in line with customer needs.

In conjunction with our websites, pseudonymised user profiles are created and small text files used which are stored on your computer (see “What are cookies and when are they used?” above). The information about your use of these websites generated by the cookies is transmitted to our suppliers’ servers, where it is stored and prepared on our behalf. In addition to the data listed above (see “What data is processed when our websites are used?”), we receive the following information as part of the process:

• The navigation path via which the visitor is accessing the website
• The length of time spent on the webpage or subpage
• The subpage from which the visitor leaves the website
• The country, region or city from which the visitor accesses the website
• The device (type, version, colour depth, resolution, width and height of the browser window)
• Returning or new visitors

The information is used to evaluate the visitor’s use of the websites 

We use third-party e-mail marketing services when sending e-mails. Our e-mails may therefore contain a so-called web beacon (tracking pixel) or similar technical tool. A web beacon is an invisible graphic measuring 1x1 pixels which is associated with the user ID of the relevant e-mail subscriber. 

The use of corresponding services enables us to evaluate whether our e-mails have been opened by their recipients. It also allows their click patterns to be recorded and evaluated. We use this data for statistical purposes and to optimise the content of our messages. This allows us to better align the information and services in our e-mails with the specific interests of each individual recipient. The tracking pixel is deleted when you delete the e-mail.

To prevent the use of the web beacon in our e-mails, adjust the settings in your e-mail programme to stop HTML being displayed in messages.

You can find out more about our main tracking tools below.

a. AT Internet web analytics service.

We use the web analytics service run by France-based AT Internet on our websites. The last three digits of the IP address are deleted immediately after it is collected and before it is further processed to ensure the information is anonymous. Furthermore, the IP address is not linked to any other information that enables us to identify visitors. 

For more information on AT Internet’s measuring process, please visit the AT Internet GmbH website: https://www.atinternet.com/en/company/data-protection/data-collection-on-our-customers-sites/Link opens in new window.. You can request that your data not be processed by AT Internet via the following link: http://www.xiti.com/en/optout.aspxLink opens in new window..

b. Google Analytics.

Google Inc., a company of the US-based holding company Alphabet Inc., provides the Google Analytics service. Google does not link the anonymised IP address transmitted by your browser as part of the Google Analytics service to other data. Only in exceptional cases will the full IP address be transmitted to one of Google’s servers in the US and shortened there. According to Google Inc., the IP address is never linked to other data relating to the user. 

For more information about the web analytics service used, please visit the Google Analytics website. For an introduction to how you can prevent your data from being processed by the web analytics service, visit https://tools.google.com/dlpage/gaoptout?hl=enLink opens in new window..

c. NET-Metrix AG.

External company NET-Metrix AG measures and evaluates access to our website and apps in anonymous form. We participate in the surveys/publications set up by NET-Metrix-Audit, NET-Metrix-Mobile and NET-Metrix-Profile as part of the NET-Metrix study.

d. DoubleClick (Google).

We use Google’s DoubleClick function on our websites to evaluate the use of our site and to allow us, Google and other advertisers who work with DoubleClick to show you user-relevant advertising. A cookie is installed on your computer’s hard drive for this purpose. This cookie is used to give your browser a pseudonymous identification number and to collect information about the advertisements displayed in your browser and how they are accessed. The information collected by the cookie about your use of the websites is generally transmitted to one of Google’s servers in the US and stored there. Based on the data collected, categories of interest are assigned to your browser. These categories are used to place adverts that are relevant to those interests.

As well as changing your browser settings, you can also use a browser plug-in to permanently deactivate the DoubleClick cookie. If you have the plugin, your deactivation settings will remain unchanged for that specific browser, even if you delete all cookies. You can find the browser plugin to permanently deactivate the function hereLink opens in new window..

What are social plugins and how are they used?

Our websites use social plugins from sites such as Facebook. The plugins are marked with the provider’s logo, e.g. “Like” buttons.

If you access one of our websites and it contains one of these plugins, the provider will be notified via the plugin that you have accessed our website. If you are logged into the provider’s site at the same time, the provider can match up your visit to your profile. If you interact with the plugins, the corresponding information will be transmitted directly from your browser to the provider and stored there.

If you do not want providers to collect data about you, you can select the “Block cookies from third-party providers” option in your browser settings. If there is embedded content from other providers, the browser will then no longer send corresponding information to that provider’s server. However, in some cases this setting will mean that other content on our website no longer works.

Displaying adverts.

We use third-party providers (ad servers) to place advertisements on our websites and in our apps. When a user visits our websites and apps, a request is sent to the ad server when they access the page. In order to place adverts for products and services that interest or are more relevant to you, we provide the following information to the ad server when you access the site:

• Profile data (age, place of residence and gender)
• Travel data (place, time, date and day of departure, destination, arrival time, date and day, class of travel)
• Rough GPS coordinates
• Unique user ID (for the use of advertising frequencies, post-click tracking and cookie targeting)
• IP addresses (stored on the ad server in hashed form)
• Information on the browser and operating system
• Device manufacturer and model

For each ad hoc request, the ad server checks whether a suitable campaign is running and then delivers specific, non-specific or no advertising at all at random and depending on capacity. No historical data or names, telephone numbers or e-mails are collected. The information listed above is never transmitted to advertising customers but is used exclusively for the one-off delivery of advertising and is not stored for further use. You can manage the advertising displayed to you via the app settings under “More settings”.

Apps.

a. SBB Mobile.

The following data is processed in the following ways when using SBB Mobile: 

• Personal data and purchased tickets are only stored on our systems.
• Payment methods are registered with our leading e-commerce contractual partner (Datatrans) without our involvement.
• To allow us to provide location-based timetable information, anonymous locations are sent to our timetabling systems. These locations are not stored. If you would like to prevent your location data from being transmitted, deactivate the GPS function on your device.
• To optimise the app, anonymous tracking data is collected during use and sent to a third-party provider (AT Internet).
• To improve the app’s technical performance, data is collected on technical errors and sent to a third-party provider (Fabric) in anonymous form.

b. SBB MyWay.

We provide the SBB MyWay service in partnership with MotionTag GmbH based in Potsdam, Germany. The following data is processed when you use SBB MyWay:

• Your contact details: You will require a SwissPass user account in order to use this service. The profile data saved in this account can be processed by the MyWay service.
• Data relating to your location, movements and interaction, specifically: geo coordinates, their accuracy and their time of localisation, gyro sensor/gyroscope values, acceleration data, barometer/air pressure data, magnetometer data, movement activity from the operating system and the related confidence levels.
• Technical data, specifically the device type, operating system version and the app version.
• To optimise the app, anonymous tracking data is collected during use and sent to a third-party provider (AT Internet).

We use the data to evaluate your mobility and recurring habits. We may supplement the data collected with additional non-personal data. We also use the data collected to provide and improve the service and for support purposes.

If you have provided us with additional data as part of a research project, we may combine the original data with the additional data from the research project. 

Anyone taking part in a research project will be notified in advance if their data will be used in any other way as part of the project. Your data will not be used for any other purposes without your consent.

MotionTag will only store and use the data for the purpose of providing and improving the service.

c. P+Rail.

You will need to register on swisspass.ch in order to purchase products and services online via the “P+Rail” app. You are also required to provide your car registration plate number(s) and payment method(s).

d. My station.

When you use the “My station” app, your location will only be determined via your device. The calculated position is not transmitted to us nor to third parties. It is not possible to identify the specific individual.

Push notifications in apps.

We use push notifications to inform you about matters that may require your special attention or a response from you.

Once you have downloaded the app, the device registers itself with the corresponding push service. The service then sends the registration ID or the token to the registered device and the app sends the registration ID or token to the server, where it is stored in a database. If a push notification is sent, the server sends the desired notification with a registration ID or token to the push service, which sends the push notification to the relevant end devices.

You can manage whether or not you wish to receive push notifications when you first set up the app. You can deactivate push notifications at any time.

SBB WiFi.

You need to register you device in order to use SBB WiFi. Your registration is valid for 12 months. When you register, you automatically share your mobile phone number and the MAC address of your device with us. As well as this data, other data on the area of the station visited, the time, date and device is collected each time SBB WiFi is used.

Please be aware that, as a telecommunications service provider, we are registered with the Swiss Federal Office of Communications and as such are bound by the legal obligations of the Swiss Federal Act of 6 October 2000 on the Surveillance of Post and Telecommunications, and its related ordinance. Provided the legal conditions are met, we are required, on behalf of the responsible authority, to monitor directly or through a third party the use of the Internet and the data traffic between the customer and the Internet. Furthermore, we may be required to disclose the customer’s contact, usage and peripheral data to the authorised administrative bodies.

The usage and peripheral data generated when establishing and ending electronic connections will be stored in personally identifiable form for six months before being anonymised. From the time the WiFi service registration is cancelled or 12 months after registration, contact data will be stored for another six months and then destroyed.

Contact form.

You have the option of using a contact from to get in touch with us. You will be required to enter certain personal data (indicated on each form):

We will only use this and other data provided voluntarily (such as title, address, telephone number and company) to answer your message as accurately and specifically as possible. In addition, any information you voluntarily provide as to how you became aware of our offer is used for internal statistical purposes.

If you get in touch regarding real estate, in certain cases the data you enter may be transmitted directly to a real estate agent working for us. This agent will also process your data for these purposes only.

Getting in touch with the SBB Contact Center.

If you telephone our SBB Contact Center, your conversation will be recorded for training purposes. You will be notified that your conversation will be recorded at the beginning of the call. The recordings will be deleted after six months.

We store all of the e-mails which we receive via contact forms.

Forums and Chat.

You can participate in interactive forums like Chat, Message Board and other platforms on sbb.ch and SBB’s other online services. Please bear in mind that any information you disclose on these forums will be visible to the public.

How long will your data be stored for?

Your data will be deleted once it is no longer required for the purpose for which it was collected (e.g. as part of a contractual relationship). If there are legal or factual obstacles that prevent us from deleting the data (e.g. legal obligation of safekeeping), it will be made unavailable instead.

What rights do you have in relation to your personal data?

You have the following rights in relation to your personal data:

• You can request information about the personal data we have stored
• You can request for your personal data to be rectified, supplemented, blocked or deleted
• If you have set up a user account, you can delete this or have it deleted
• You can object to your data being used for marketing purposes

To exercise these rights, simply write a letter to:

SBB AG
Data protection officer
Hilfikerstrasse 1
CH-3000 Bern 65

or e-mail: datenschutz@sbb.ch.

Will data be disclosed to third parties?

Your personal data will not be disclosed, sold or transmitted in any other way to third parties outside the public transport industry unless this is necessary for the purposes of executing a contract or you have granted your express consent.

Data is disclosed within the so-called "Direkter Verkehr" (direct services), an association of over 240 public transport companies, and to transport networks for the purposes of executing contracts, checking tickets, providing after-sales services and (to a very limited extent) for marketing purposes.

External service providers (for example printing houses) that process data on our behalf are under strict obligations as regards the Swiss Federal Act on Data Protection. Under data protection law, these external service providers are therefore not considered third parties. 

Will your personal data be transmitted abroad?

We are also authorised to transmit your personal data to third parties (for example external service providers) abroad. These are obliged to comply with data protection law to the same extent as we are. If the level of data protection in a country does not match that in Switzerland, we shall contractually ensure that your personal data is protected to the same level as in Switzerland at all times.

Data security.

We employ suitable technical and organisational security measures to protect the personal data we store from manipulation, partial or total loss and unauthorised access by third parties. Our security measures are continuously improved in line with technological development.

We also take data protection within SBB very seriously. Our staff and the external service providers working on our behalf are committed to maintain confidentiality and to comply with data protection provisions.

We will take appropriate precautionary measures to protect your data. However, the transmission of information over the Internet and other electronic means always carries certain security risks and we cannot offer any guarantee as regards the security of information transmitted in this way.

Amendments to this Privacy Policy.

We reserve the right to amend or supplement this Privacy Policy at any time at our discretion. Please consult this Privacy Policy regularly.

Last updated: May 2018