Last updated on: Aug 25, 2020.
1. How your personal information is collected or used
2. How your personal information may be shared, assigned or publicly disclosed
3. How your personal information is stored
5. Prompts on sensitive personal information
6. Personal information security
7. Handling of information security incidents
8. Information protection for minors
9. Your rights to personal information
11. How to contact us
You understand and agree:
"Personal information" refers to all kinds of information recorded by electronic or other means that can identify the identity of a specific natural person or reflect the activities of a specific natural person individually or in combination with additional information.
"Sensitive personal information" is defined as personal information that, once disclosed, illegally supplied, or abused, may endanger personal or property security, easily damage an individual's reputation and physical and psychological health, or lead to discriminatory treatment.
The contents of the above-mentioned personal information and sensitive personal information are respectively consistent with the content of Appendix A (informative appendix)-examples of personal information and Appendix B (informative appendix)-sensitive personal information judgment of the latest version of Personal Information Security Specification.
Our services include some basic functions, such as those necessary for online ticket purchasing, improvement of our services, and guarantee of transaction security. We need to collect, store, and use the following personal information about you to realize such basic functions. If you do not provide relevant information, you will not be able to enjoy the services provided by us. The basic functions and types of personal information required are as follows:
• To register as our user, you need to create a user name and password so that we can provide services such as ticketing for you, and provide your name, gender, country/region, ID document type,ID document number, ID document validity period, date of birth, as well as the unique mobile phone number corresponding to your identity information and capable of communication, e-mail address and passenger type.
• If you want to log in by using face ID or fingerprint recognition, you need to provide your biometric information (face/fingerprint information). However, please note that we only receive the verification results of the terminal you use, and will not collect your biometric information (face/fingerprint information).
• If you only need information services such as browsing the Website and querying remaining tickets or stations, you do not need to register as our user or provide the information listed above.
To enhance the security of services that are provided by us and our partners, ensure the safety of the operating environment, identify the abnormal status of registered accounts, better protect your or other user’s or the public’s personal and property security from infringement, prevent security risks such as phishing websites, fraud, network vulnerabilities, computer viruses, network attacks and network intrusions, as well as identify more accurately violations of laws and regulations of the People's Republic of China or 12306 Website-related protocol rules, we may use or integrate your user information, transaction information, device information, location information, log information and other information which are shared by our partners with your authorization or according to relevant laws, so as to judge your account and transaction risks comprehensively, conduct identity authentication, detect and prevent security incidents, and take necessary record, audit, analysis and disposal measures according to relevant laws.
To provide more convenient services or more enjoyable experience, we provide the following extended functions, which may collect and use your personal information. If you do not provide such personal information, you can still use the essential services listed in item (I). These extended functions and the types of personal information required are as follows:
To improve our products or services and provide you with personalized information search and transaction services, after you explicitly agree and choose to grant the corresponding authorization, we will extract your preferences such as browsing/search habit, behavior & habit, and location information according to your browsing/search records, device, location, log and order information,and perform indirect group profiling and display and push information based on the feature labels.
(a) Device information:We will receive and record information about the device you are using (e.g. software and hardware characteristics information including device model, version of operation system, device settings, and unique device identifier)according to the specific authorizations you grant in software installation and use.
(b) Location information: It refers tothe information about your location such as IP address, GPS location and sensor information that can provide relevant location information including Wi-Fi access point, Bluetooth, and base station,which is collected when you enable the location function of the device and use services we offer based on the location. If you authorize the use of your location, the station of the city you are currently in can be automatically added to the "recently used" stations so that you can conveniently use such functions as querying ticket agencies nearby.
(c) Log information:When you use the products or services provided via our Website or client, we will automatically collect the information about the details of your use of our services, for example, your search and query content, IP address, browser type, telecom carrier, language used, access date and time, and record of pages you browse, and store these details in a relevant weblog.
• If you choose "ticket waitlist"service, you need to accomplish the person-ID document checking on the registered user.
• If you choose "meal ordering · specialty products"service, you need to provide the recipient's name, mobile phone number, date of travel, train number, carriage and seat information.
• If you choose "ticket express delivery"service, you need to provide the recipient's name, mobile phone number and address information.
• If you choose "lounge · station transfer"service, you need to provide the service date and departure train number selected by the service booker.
• If you choose "hotel"service, you need to provide the name and mobile phone number of the person to check-in.
• If you choose "car hire"service, you need to provide the name (optional) and mobile phone number of the passenger.
• If you choose "poverty alleviation mall"service, you need to provide the recipient's name, mobile phone number and address information.
• If you choose "travel insurance"service, you need to provide the applicant's name, ID document type, ID document number, and mobile phone number; If you buy the insurance for other people, you need to provide the insured's nameand ID document type and number.
• If you choose "bus ticket"service, you need to provide the passenger's departure city, arrival city and date of travel.
• To display the order information of your account, we will collect the order information generated when you use our services to display such information for you and enable you to manage the order conveniently.
• When you contact us, we may store your communication/call record and content or the contact information you give, to contact you or help you solve problems, or record the solutions and results of related problems.
• You may use the products or services provided by us and our business partners via the links provided on the 12306 Website. When you use the services above via our products or services, you authorize us, according to actual business and cooperation needs, to receive, summarize and analyze your personal or transaction information provided by our affiliated companies, which we confirm are from a legal source or provided to us with your authorization. Before you use any services provided by a third party, please ensure that you have fully understood the rules of collection and use of personal information of the third party. Please contact the third party's customer service department for questions.
• The above-extended functions may require you to open access to your device to us in your device:
(a) Camera access: If you need to use the function of scanning ticket QR code or face verification, please allow the 12306 App to access your camera.
(b) Album/photo gallery access: If you need to use the function of storing and sharing train information, please authorize the 12306 App to access your album.
(c) Push access: If you need to receive notification messages from 12306, please authorize the 12306 App for information push. If you choose to receive notifications via WeChat or Alipay, you need to provide and authorize us to use the corresponding third-party account information so that we can provide push notification service according to your choice.
Please note that by granting access to these functions, you authorize us to collect and use this personal information to realize the above functions. When you stop the grant of access, you cancel the authorization, and we will not continue to collect and use your personal information, nor will we be able to provide you with the above functions corresponding to these authorizations. Your decision to stop the access will not affect the previous processing of personal information based on your authorization.
We may conduct de-identification research, statistical analysis, and prediction on the collected information to improve the content and layout of 12306, provide a product or service reference for business decisions, and improve our products and services. For example, we may use anonymous data to conduct machine learning or model algorithm training.
According to relevant laws, regulations and national standards of the People's Republic of China, we may collect your personal information without your authorization or consent in any of the following cases:
1) Information related to our performance of obligations under laws and regulations;
2) Information directly related to national security and national defense security of the People's Republic of China;
3) Information directly related to public security, public health and significant public interests;
4) Information directly related to criminal investigations, prosecutions, trial, judgment execution, etc.;
5) Information collected to safeguard the life, property and other significant legal rights and interests of you or other individuals when it is difficult to obtain your consent;
6) Personal information disclosed to the public at your will;
7) Information necessary for signing and performing the contract at your request;
8) Personal information collected from publicly disclosed information via lawful channels such as news report or government information release;
9) Information necessary for maintaining the safe and stable operation of the products or services provided, such as finding and handling the faults of the products or services.
10) Information necessary for academic research institutions to conduct statistical or academic researches for public interests, where the personal data contained in the academic research result is de-identified when the research or description result is provided to others.
According to your choice or in accordance with the "Exceptions to obtaining prior authorization and consent when sharing, assigning and publicly disclosing personal information", we may share your order, account, contact and location information with third parties to ensure the smooth completion of the services provided for you. However, we share your personal information for legal, legitimate, necessary, specific and defined purposes only, and to the extent as necessary for service provision. Our partners have no right to use the shared personal information for any other purpose.
In some cases, we will also be entrusted to handle your personal information, and the circumstances under which we serve as trustee usually include:
• Partners entrusting us with promotion. Sometimes we provide promotion service for other companies targeting at users of our products and/or services. After obtaining your consent, we provide such partners only with coverage and validity information related to the promotion instead of your personal identity information, or we summarize such information so that you cannot be identified individually.For example, we tell an entrusting partner how many people have visited their promotion information or bought their products after visiting the promotion; or we may provide the partner with statistical information from which personal identity cannot be recognized to help them understand their target customers.
We will not assign your personal information to any company, organization or individual, except in the cases of "Exceptions to obtaining prior authorization and consent when sharing, assigning or publicly disclosing personal information".
We may publicly disclose your personal information only under the following circumstances:
• We may publicly disclose the personal information designated by you if you explicitly agree or choose to do so at your own free will;
• We may publicly disclose your personal information as required when it is necessary according to laws and regulations of the People's Republic of China, and mandatory administrative law enforcement or judicial requirements. On the premise of complying with laws and regulations, when we receive the request for information disclosure mentioned above, we will require that corresponding legal documents such as a subpoena or investigation letter must be issued.
According to relevant laws, regulations and national standards of the People's Republic of China, we may share, assign or publicly disclose your information without your prior authorization or consent in any of the following cases:
1) Information directly related to our performance of obligations under laws and regulations;
2) Information directly related to national security and national defense security;
3) Information directly related to public security, public health and major public interests;
4) Information directly related to criminal investigation, prosecution, trial, judgment execution, etc.;
5) Information collected to safeguard the life, property and other major legal rights and interests of you or other individuals when it is difficult to obtain your authorization and consent;
6) Personal information disclosed to the public at your will;
7) Information necessary for signing and performing the contract at your request;
8) Personal information collected from publicly disclosed information via lawful channels such as news reports or government information release.
9) Information necessary for maintaining the safe and stable operation of the products or services we provided, such as finding and handling the faults of the products or services.
According to laws of the People's Republic of China, sharing or assigning de-identified personal information after disabling the data receiver to recover or re-identify the subject of the personal information does not pertain to activities of external sharing, assigning or publicly disclosing personal information. Such data may be stored and processed without giving you further notice or obtaining your consent.
If you visit our Website from places outside mainland China, please note that your information will be stored and processed in mainland China.
Generally speaking, we only keep your personal information for the shortest time necessary to achieve a purpose. After the expiration date, we will delete or anonymize your personal information. If we stop offering products or services on the 12306 Website, we will promptly stop collecting your personal information, notify you individually or by the means of public announcement of the termination of such business, and delete or anonymize the personal information that we hold after the service or operation is terminated.
Cookies are text files placed by the webserver on your access device, useful for helping call information and simplify the process of recording your personal information during your subsequent access. You have the right to accept or reject Cookies. If the browser automatically receives Cookies, you may modify the browser settings to reject cookies according to your needs. Please note that if you choose to reject cookies, you may be unable to experience the services provided by 12306 fully.
(1) The 12306 website attaches great importance to information security and sets up a dedicated team to assure information security. We have made all efforts to provide you with information protection, adopted appropriate management, technological and physical security measures, and established an information security guarantee system suitable for our business development based on domestic and international information security standards and best practices.
(2) From the perspective of the life cycle of data, we have developed security protection measures in all aspects of data collection, storage, display, processing, use, and destruction. According to the level of information sensitivity, we have adopted different control measures, including but not limited to access control, SSL (Secure Socket Layer) encrypted transfer and storage, as well as desensitized display of sensitive information. We have taken reasonable and feasible security protection measures that conform to industry standards to protect the personal information you provide, adopted encryption technology to improve the security of personal information and used reliable protection mechanism to protect personal information from malicious attacks, so that personal information will not be accessed, publicly disclosed, used or modified without authorization,or damaged or lost.
(3) We have deployed access control mechanisms to ensure personal information only accessible to authorized personnel. We have strict management on our employees who may come into contact with your information. We have made each operation under monitoring, established an approval mechanism for important operations such as data access, internal and external transfer and use, desensitization, and decryption, and signed confidentiality agreements with the employees mentioned-above. At the same time, we provide regular information security training for our employees and require them to build good operation habits in their daily work and enhance their awareness of data protection.
(4) Notwithstanding the aforementioned security measures, please understand that there are no "perfect security measures" on the network. We will provide appropriate security measures based on current technologies to protect your information. We will try our best to prevent your information from being disclosed, damaged or lost.
(5) All your accounts are under security protection. Please properly keep your account and password information and do not share your password with any other people or third-party website. If you find your personal information, especially your account or password, is leaked, please contact our customer service department immediately so that we can take appropriate measures.
(6) Please store or back up your words, pictures and other information in time. You need to understand and accept that the system and communication network you use to access our services may go wrong due to factors out of our control.
We will initiate the emergency response plan immediately to prevent the expansion of a personal information security incident if such incident unfortunately occurs. We will, according to laws and regulations of the People's Republic of China, inform you about the general conditions of the incident and possible impact, the measures that we have taken or will take, the suggestions regarding risk prevention and reduction for your own choice, remedial measures for you, etc.. We will inform you of the relevant conditions of the incident by mail, telephone, pushing notification, etc.. When it is difficult to inform the subjects of personal information individually, we will announce in a reasonable and effective manner. At the same time, we will actively report the disposal of such information security incidents as required by regulatory authorities.
According to the relevant laws of the People’s Republic of China, minors refer to people under the age of 18, and children refer to people under the age of 14.
The personal information of minors, especially children, collected with their parents’ or guardians' consent to their use of our products or services will be used, shared, assigned or disclosed only with permission by laws and regulations, with their parents’ or guardians' explicit consent or when it is necessary for the protection of minors. If we find that we have collected personal information of children without their parents’ or guardians' prior consent, we will manage to delete relevant data as soon as possible.
For children's personal information, we will further take the following measures:
(2) When you, as the guardian, choose to use 12306 related services for the child under your guardianship, we may collect from you the personal information of the child under your guardianship necessary for delivering related services to you. If it is necessary to collect the child's personal information for specific services, we will obtain your prior authorization and consent, and inform you of the purposes and use of the information collected. If you do not provide the information mentioned above, you will be unable to enjoy the related services that we provide. As the guardian, you should properly perform your guardianship duties and protect the personal information of the child. If the child needs to register or use our products and/or services, you should give appropriate instruction and let the child use our services under your guardianship.
(3) Children or their guardians have the right to access and correct the children's personal information at any time and may request us to correct or delete the information.
We attach great importance to your personal information and make all efforts to protect your rights to your personal information, except as otherwise required by laws and regulations. To ensure security, we may ask you to provide a written request or prove your identity in other ways. Usually, we will accept your request within 15 working days after receiving your reply and authenticating your identity. In principle, we will not charge for your reasonable request, but will charge for a certain fee to cover the cost for unreasonable or repeated requests. We may refuse the requests that are repeated for no reason, require too many technical means, bring risks to legitimate rights and interests of others, or are very infeasible.
(1) You may log on "My 12306" and enter the personal center, personal information or other functional modules at any time to access, modify or delete your account information, including personal data, authorization settings, security settings, My Passengers, password, e-mail address and ticket delivery address.
(2) You may cancel your 12306 Website account via the following path:
1) You may deregister the account by logging in to 12306APP: click "My" and then click "User Name"; or
2) You may cancel the account at nearby railway station counter with your valid ID document.
Once your 12306 Website account is canceled, we will no longer provide services for you, and will delete your personal information or anonymize it according to applicable laws, unless otherwise stipulated by laws or regulations.
(3) You may revoke your authorization by turning off some of the functions of your device. Or, you may revoke all authorizations to continue collecting your personal information by canceling your account.
(4)According to laws, regulations and national standards, we will not be able to respond to your request in any of the following cases:
1) When the request is related to our performance of obligations stipulated by laws and regulations;
2) When the request is directly related to state security and national defense security;
3) When the request is directly related to public security, public health and major public interests;
4) When the request is directly related to crime investigation, prosecution, trial and execution of judgment;
5) When there is sufficient evidence to show that you are subjectively malicious or abusing rights;
6) When it is necessary to safeguard the life, property and other major legal rights and interests of you or other individuals but it is difficult to obtain your consent;
7) When responding to your request will cause serious damages to legal rights and interests of you or other individual or organization;
8) When the request involves trade secrets.
(1) Major changes in our service modes, such as the purpose of personal information processing, the type of personal information processed and the use of personal information;
(2) Major changes in our ownership or organizational structure, such as changes in owners caused by business adjustments, bankruptcies or mergers;
(3) Changes in main objects of personal information sharing, transfer or public disclosure;
(4) Major changes in your rights to participating in personal information processing and the way in which you exercise the rights;
(5) Changes in the department responsible for handling personal information security, the contact information or the complaint channels;
(6) The existence of high risks proved by the personal information security impact assessment report.
You may contact us via the following ways, and generally, we will accept and handle your request on personal information within 15 working days.
If you are not satisfied with our reply and believe that our personal information processing has damaged your legal rights and interests, you can make a complaint to the 12306 customer service, or make a complaint or report to regulatory authorities in charge of cyberspace administration, telecommunications, public security, or industry & commerce, or file a lawsuit to the competent people's court.