Privacy Policy

This Privacy Policy applies to the China Railway Customer Service Center ("we/us") Website http://www.12306.cn, the webpage and mobile clients (including iOS, Android and any other existing or future mobile clients) of the Website and other functions and services provided by us (hereinafter collectively referred to as "12306 Website" or "12306").

Last updated on: Aug 25, 2020.

Dear 12306 user ("user" or "you"): we have updated this Privacy Policy. The updated version incorporates additional types of services provided for you and personal information to be collected for such services, purposes for which we share your personal information with a third party, and types of such third parties.

Welcome to visit the 12306 Website!Please be reminded: the 12306 Website is a vital railway ticketing platform operated by China Academy of Railway Sciences Corporation Limited headquartered in Haidian District, Beijing.This privacy policy is closely related to your use of 12306 products or services (hereinafter collectively referred to as "services") on the 12306 Website. Please read it carefully before using the services and confirm that you have fully understood and agreed to this Privacy Policy, especially those in bold fonts or underlined content.

12306 is fully aware of the importance of personal privacy and will do its best to protect your personal information. We are committed to maintaining your trust in us, and will protect your personal information in accordance with the following principles: consistency of powers and responsibilities, defined purpose, selective consent, minimum necessity, security assurance, subject participation, openness, transparency, etc.. We will also take corresponding security measures that conform to the mature security standards in the industry to protect your personal information. Your personal information that we collect when you use the 12306 Website will be used only for the purposes set out in this Privacy Policy.

If you are the legal guardian of a child user, please read this Privacy Policy carefully and choose to agree to it or not. At the same time, please instruct your child to enhance his/her awareness and ability to protect personal information and not to provide any personal information to any product or service provider without your consent. If you are a child user, please use our products/services or provide information with the prior consent of your legal guardian.

This Privacy Policy will help you understand the following content:

1. How your personal information is collected or used

2. How your personal information may be shared, assigned or publicly disclosed

3. How your personal information is stored

4. Use of cookies

5. Prompts on sensitive personal information

6. Personal information security

7. Handling of information security incidents

8. Information protection for minors

9. Your rights to personal information

10. Changes to this Privacy Policy

11. How to contact us


1. How your personal information is collected or used

You understand and agree:

To offer you better products and services, we are making continuous efforts to improve our solutions. We offer new or optimized functions from time to time and accordingly may need to collect and use new personal information or change the purpose or method of handling personal data. In such cases, we will give you a further explanation of collection purpose, extent, and ways of using of such information through updates to this Privacy Policy, pop-up windows or page prompts, etc. and collect and use your information after obtaining your express consent.

"Personal information" refers to all kinds of information recorded by electronic or other means that can identify the identity of a specific natural person or reflect the activities of a specific natural person individually or in combination with additional information.

"Sensitive personal information" is defined as personal information that, once disclosed, illegally supplied, or abused, may endanger personal or property security, easily damage an individual's reputation and physical and psychological health, or lead to discriminatory treatment.

The contents of the above-mentioned personal information and sensitive personal information are respectively consistent with the content of Appendix A (informative appendix)-examples of personal information and Appendix B (informative appendix)-sensitive personal information judgment of the latest version of Personal Information Security Specification.

(I) The basic functions of collecting and using your personal information

Our services include some basic functions, such as those necessary for online ticket purchasing, improvement of our services, and guarantee of transaction security. We need to collect, store, and use the following personal information about you to realize such basic functions. If you do not provide relevant information, you will not be able to enjoy the services provided by us. The basic functions and types of personal information required are as follows:

(1) Registration as our user and log-in

• To register as our user, you need to create a user name and password so that we can provide services such as ticketing for you, and provide your name, gender, country/region, ID document type,ID document number, ID document validity period, date of birth, as well as the unique mobile phone number corresponding to your identity information and capable of communication, e-mail address and passenger type.

• If you want to log in by using face ID or fingerprint recognition, you need to provide your biometric information (face/fingerprint information). However, please note that we only receive the verification results of the terminal you use, and will not collect your biometric information (face/fingerprint information).

• If you only need information services such as browsing the Website and querying remaining tickets or stations, you do not need to register as our user or provide the information listed above.

(2) Ticket purchasing service

• When using ticket booking service, you need to provide the passenger's name, ID document type, ID document number, passenger type, mobile phone number and e-mail address. If you book tickets for other people, you need to provide the aforementioned personal information of the actual receiver. Once the order is placed, the actual receiver is deemed to have accepted this Privacy Policy too. Therefore, before ordering goods or services for other people, make sure you have obtained his/her authorization and consent.

(3) Protection of your transaction security

To enhance the security of services that are provided by us and our partners, ensure the safety of the operating environment, identify the abnormal status of registered accounts, better protect your or other user’s or the public’s personal and property security from infringement, prevent security risks such as phishing websites, fraud, network vulnerabilities, computer viruses, network attacks and network intrusions, as well as identify more accurately violations of laws and regulations of the People's Republic of China or 12306 Website-related protocol rules, we may use or integrate your user information, transaction information, device information, location information, log information and other information which are shared by our partners with your authorization or according to relevant laws, so as to judge your account and transaction risks comprehensively, conduct identity authentication, detect and prevent security incidents, and take necessary record, audit, analysis and disposal measures according to relevant laws.

(II) The extended functions of collecting and using your personal information

To provide more convenient services or more enjoyable experience, we provide the following extended functions, which may collect and use your personal information. If you do not provide such personal information, you can still use the essential services listed in item (I). These extended functions and the types of personal information required are as follows:

(1) Displaying and pushing personalized goods or services to you

To improve our products or services and provide you with personalized information search and transaction services, after you explicitly agree and choose to grant the corresponding authorization, we will extract your preferences such as browsing/search habit, behavior & habit, and location information according to your browsing/search records, device, location, log and order information,and perform indirect group profiling and display and push information based on the feature labels.

(a) Device information:We will receive and record information about the device you are using (e.g. software and hardware characteristics information including device model, version of operation system, device settings, and unique device identifier)according to the specific authorizations you grant in software installation and use.

(b) Location information: It refers tothe information about your location such as IP address, GPS location and sensor information that can provide relevant location information including Wi-Fi access point, Bluetooth, and base station,which is collected when you enable the location function of the device and use services we offer based on the location. If you authorize the use of your location, the station of the city you are currently in can be automatically added to the "recently used" stations so that you can conveniently use such functions as querying ticket agencies nearby.

(c) Log information:When you use the products or services provided via our Website or client, we will automatically collect the information about the details of your use of our services, for example, your search and query content, IP address, browser type, telecom carrier, language used, access date and time, and record of pages you browse, and store these details in a relevant weblog.

Please note that individual device information, log information or location information is not sufficient to identify a specific natural person. If we use such non-personal information in combination with other information to identify a specific natural person or use it in combination with personal information, such non-personal information will be regarded as personal information during the use. Unless otherwise authorized by you or specified by laws and regulations, we will handle and protect such personal information per this Privacy Policy.

(2) Providing specific goods or services for purchase or use

If you order any of the following products or services for other people, you may need to provide the personal information of the actual receiver. Once the order is placed, the actual receiver is deemed to have accepted this Privacy Policy too. Therefore,before ordering goods or services for other people, make sure you have obtained his/her authorization and consent.

• If you choose "ticket waitlist"service, you need to accomplish the person-ID document checking on the registered user.

• If you choose "meal ordering · specialty products"service, you need to provide the recipient's name, mobile phone number, date of travel, train number, carriage and seat information.

• If you choose "ticket express delivery"service, you need to provide the recipient's name, mobile phone number and address information.

• If you choose "lounge · station transfer"service, you need to provide the service date and departure train number selected by the service booker.

• If you choose "hotel"service, you need to provide the name and mobile phone number of the person to check-in.

• If you choose "car hire"service, you need to provide the name (optional) and mobile phone number of the passenger.

• If you choose "poverty alleviation mall"service, you need to provide the recipient's name, mobile phone number and address information.

• If you choose "travel insurance"service, you need to provide the applicant's name, ID document type, ID document number, and mobile phone number; If you buy the insurance for other people, you need to provide the insured's nameand ID document type and number.

• If you choose "bus ticket"service, you need to provide the passenger's departure city, arrival city and date of travel.

• To display the order information of your account, we will collect the order information generated when you use our services to display such information for you and enable you to manage the order conveniently.

• When you contact us, we may store your communication/call record and content or the contact information you give, to contact you or help you solve problems, or record the solutions and results of related problems.

• You may use the products or services provided by us and our business partners via the links provided on the 12306 Website. When you use the services above via our products or services, you authorize us, according to actual business and cooperation needs, to receive, summarize and analyze your personal or transaction information provided by our affiliated companies, which we confirm are from a legal source or provided to us with your authorization. Before you use any services provided by a third party, please ensure that you have fully understood the rules of collection and use of personal information of the third party. Please contact the third party's customer service department for questions.

• The above-extended functions may require you to open access to your device to us in your device:

(a) Camera access: If you need to use the function of scanning ticket QR code or face verification, please allow the 12306 App to access your camera.

(b) Album/photo gallery access: If you need to use the function of storing and sharing train information, please authorize the 12306 App to access your album.

(c) Push access: If you need to receive notification messages from 12306, please authorize the 12306 App for information push. If you choose to receive notifications via WeChat or Alipay, you need to provide and authorize us to use the corresponding third-party account information so that we can provide push notification service according to your choice.

Please note that by granting access to these functions, you authorize us to collect and use this personal information to realize the above functions. When you stop the grant of access, you cancel the authorization, and we will not continue to collect and use your personal information, nor will we be able to provide you with the above functions corresponding to these authorizations. Your decision to stop the access will not affect the previous processing of personal information based on your authorization.

(3) Other purposes

We may conduct de-identification research, statistical analysis, and prediction on the collected information to improve the content and layout of 12306, provide a product or service reference for business decisions, and improve our products and services. For example, we may use anonymous data to conduct machine learning or model algorithm training.

(III) Exceptions to obtaining authorization and consent

According to relevant laws, regulations and national standards of the People's Republic of China, we may collect your personal information without your authorization or consent in any of the following cases:

1) Information related to our performance of obligations under laws and regulations;

2) Information directly related to national security and national defense security of the People's Republic of China;

3) Information directly related to public security, public health and significant public interests;

4) Information directly related to criminal investigations, prosecutions, trial, judgment execution, etc.;

5) Information collected to safeguard the life, property and other significant legal rights and interests of you or other individuals when it is difficult to obtain your consent;

6) Personal information disclosed to the public at your will;

7) Information necessary for signing and performing the contract at your request;

8) Personal information collected from publicly disclosed information via lawful channels such as news report or government information release;

9) Information necessary for maintaining the safe and stable operation of the products or services provided, such as finding and handling the faults of the products or services.

10) Information necessary for academic research institutions to conduct statistical or academic researches for public interests, where the personal data contained in the academic research result is de-identified when the research or description result is provided to others.

2. How your personal information may be shared, assigned or publicly disclosed
(1) Sharing

According to your choice or in accordance with the "Exceptions to obtaining prior authorization and consent when sharing, assigning and publicly disclosing personal information", we may share your order, account, contact and location information with third parties to ensure the smooth completion of the services provided for you. However, we share your personal information for legal, legitimate, necessary, specific and defined purposes only, and to the extent as necessary for service provision. Our partners have no right to use the shared personal information for any other purpose.

Our partners include suppliers and third-party merchants of goods or technical services for various functions in this Privacy Policy, including but not limited to infrastructure technical service, logistics and distribution service, payment service, hotel reservation, car hire service, travel insuranceand bus ticketing service. We share such information to fulfill the functions of products and/or services you choose to use. For example, we must share your mobile phone number with an online car hire company so that you can be reached and successfully get in the car. Or, we share your order number and amount with a third-party payment service provider to confirm your payment command and accomplish the payment; Or, we must share your order information and necessary information related to the transaction with third-party merchants to meet your need for their goods or services and enable them to accomplish subsequent after-sales service for you.

In some cases, we will also be entrusted to handle your personal information, and the circumstances under which we serve as trustee usually include:

• Partners entrusting us with promotion. Sometimes we provide promotion service for other companies targeting at users of our products and/or services. After obtaining your consent, we provide such partners only with coverage and validity information related to the promotion instead of your personal identity information, or we summarize such information so that you cannot be identified individually.For example, we tell an entrusting partner how many people have visited their promotion information or bought their products after visiting the promotion; or we may provide the partner with statistical information from which personal identity cannot be recognized to help them understand their target customers.

We will sign strict confidentiality agreements with the companies and organizations with which we share personal information and require them to treat personal information per this Privacy Policy and other relevant confidentiality and security measures of us. Our partners have no right to use the shared personal information for any other purpose. If it is necessary to change the purpose of personal information processing, we will ask for your further authorization and consent. If we intend to share personal information of a child with a third party, we will conduct a security assessment and protect the information by such means as encryption, anonymization and de-identification.

(2) Assignment

We will not assign your personal information to any company, organization or individual, except in the cases of "Exceptions to obtaining prior authorization and consent when sharing, assigning or publicly disclosing personal information".

In case of acquisition, merger, reorganization, bankruptcy or similar transactions or situations, if the assignment of personal information is involved, we will inform you about the situation and require the new company or organization that holds your personal information to continue to abide by this Privacy Policy. If the purpose of using personal information is changed, we will ask the company or organization to seek your authorization and consent again.

(3) Public disclosure

We may publicly disclose your personal information only under the following circumstances:

• We may publicly disclose the personal information designated by you if you explicitly agree or choose to do so at your own free will;

• We may publicly disclose your personal information as required when it is necessary according to laws and regulations of the People's Republic of China, and mandatory administrative law enforcement or judicial requirements. On the premise of complying with laws and regulations, when we receive the request for information disclosure mentioned above, we will require that corresponding legal documents such as a subpoena or investigation letter must be issued.

(4) Exceptions to obtaining prior authorization and consent when sharing, assigning or publicly disclosing personal information

According to relevant laws, regulations and national standards of the People's Republic of China, we may share, assign or publicly disclose your information without your prior authorization or consent in any of the following cases:

1) Information directly related to our performance of obligations under laws and regulations;

2) Information directly related to national security and national defense security;

3) Information directly related to public security, public health and major public interests;

4) Information directly related to criminal investigation, prosecution, trial, judgment execution, etc.;

5) Information collected to safeguard the life, property and other major legal rights and interests of you or other individuals when it is difficult to obtain your authorization and consent;

6) Personal information disclosed to the public at your will;

7) Information necessary for signing and performing the contract at your request;

8) Personal information collected from publicly disclosed information via lawful channels such as news reports or government information release.

9) Information necessary for maintaining the safe and stable operation of the products or services we provided, such as finding and handling the faults of the products or services.

According to laws of the People's Republic of China, sharing or assigning de-identified personal information after disabling the data receiver to recover or re-identify the subject of the personal information does not pertain to activities of external sharing, assigning or publicly disclosing personal information. Such data may be stored and processed without giving you further notice or obtaining your consent.

3. How your personal information is stored

If you visit our Website from places outside mainland China, please note that your information will be stored and processed in mainland China.

Generally speaking, we only keep your personal information for the shortest time necessary to achieve a purpose. After the expiration date, we will delete or anonymize your personal information. If we stop offering products or services on the 12306 Website, we will promptly stop collecting your personal information, notify you individually or by the means of public announcement of the termination of such business, and delete or anonymize the personal information that we hold after the service or operation is terminated.

4. Use of cookies

Cookies are text files placed by the webserver on your access device, useful for helping call information and simplify the process of recording your personal information during your subsequent access. You have the right to accept or reject Cookies. If the browser automatically receives Cookies, you may modify the browser settings to reject cookies according to your needs. Please note that if you choose to reject cookies, you may be unable to experience the services provided by 12306 fully.

5. Prompts on sensitive personal information

12306 reminds you that the content and information uploaded or released when you use products or services provided by 12306 may involve your sensitive personal information, including but not limited to ID document number, personal biometric information (face and fingerprint information), travel information and personal information of children under the age of 14 (inclusive). Therefore, you need to consider carefully before using the products or services we offer. You agree that the sensitive personal information will be handled for the purposes and with the methods set out in this Privacy Policy.

6. Personal information security

(1) The 12306 website attaches great importance to information security and sets up a dedicated team to assure information security. We have made all efforts to provide you with information protection, adopted appropriate management, technological and physical security measures, and established an information security guarantee system suitable for our business development based on domestic and international information security standards and best practices.

(2) From the perspective of the life cycle of data, we have developed security protection measures in all aspects of data collection, storage, display, processing, use, and destruction. According to the level of information sensitivity, we have adopted different control measures, including but not limited to access control, SSL (Secure Socket Layer) encrypted transfer and storage, as well as desensitized display of sensitive information. We have taken reasonable and feasible security protection measures that conform to industry standards to protect the personal information you provide, adopted encryption technology to improve the security of personal information and used reliable protection mechanism to protect personal information from malicious attacks, so that personal information will not be accessed, publicly disclosed, used or modified without authorization,or damaged or lost.

(3) We have deployed access control mechanisms to ensure personal information only accessible to authorized personnel. We have strict management on our employees who may come into contact with your information. We have made each operation under monitoring, established an approval mechanism for important operations such as data access, internal and external transfer and use, desensitization, and decryption, and signed confidentiality agreements with the employees mentioned-above. At the same time, we provide regular information security training for our employees and require them to build good operation habits in their daily work and enhance their awareness of data protection.

(4) Notwithstanding the aforementioned security measures, please understand that there are no "perfect security measures" on the network. We will provide appropriate security measures based on current technologies to protect your information. We will try our best to prevent your information from being disclosed, damaged or lost.

(5) All your accounts are under security protection. Please properly keep your account and password information and do not share your password with any other people or third-party website. If you find your personal information, especially your account or password, is leaked, please contact our customer service department immediately so that we can take appropriate measures.

(6) Please store or back up your words, pictures and other information in time. You need to understand and accept that the system and communication network you use to access our services may go wrong due to factors out of our control.

7. Handling of information security incidents

We will initiate the emergency response plan immediately to prevent the expansion of a personal information security incident if such incident unfortunately occurs. We will, according to laws and regulations of the People's Republic of China, inform you about the general conditions of the incident and possible impact, the measures that we have taken or will take, the suggestions regarding risk prevention and reduction for your own choice, remedial measures for you, etc.. We will inform you of the relevant conditions of the incident by mail, telephone, pushing notification, etc.. When it is difficult to inform the subjects of personal information individually, we will announce in a reasonable and effective manner. At the same time, we will actively report the disposal of such information security incidents as required by regulatory authorities.

8. Information protection for minors

According to the relevant laws of the People’s Republic of China, minors refer to people under the age of 18, and children refer to people under the age of 14.

12306 is mainly for adults. Without the consent of parents or guardians, minors, especially children under the age of 14, shall not create their own personal information subject account. If you are the guardian of a minor, we remind you to perform your guardianship duties correctly and protect the personal information of the minor. If the minors under your care use our services, you should give them correct guidance and care.If you are a minor, please read this Privacy Policy carefully with the help of your parents or guardians before using the services on the 12306 Website,and use our services or provide information with the consent of your parents or guardians.

The personal information of minors, especially children, collected with their parents’ or guardians' consent to their use of our products or services will be used, shared, assigned or disclosed only with permission by laws and regulations, with their parents’ or guardians' explicit consent or when it is necessary for the protection of minors. If we find that we have collected personal information of children without their parents’ or guardians' prior consent, we will manage to delete relevant data as soon as possible.

For children's personal information, we will further take the following measures:

(1) For the personal information of children collected, we will not only comply with provisions of this Privacy Policy regarding users' personal information, but also follow the principles of legitimate necessity, informed consent, defined purpose, safety guarantee and legal utilization. We will store, use and disclose the information per laws and regulations such as the Regulations on Online Protection of Children's Personal Information in a period as necessary to fulfill the purposes of collecting or using such information. We will delete or anonymize the personal information of children when the period ends.

(2) When you, as the guardian, choose to use 12306 related services for the child under your guardianship, we may collect from you the personal information of the child under your guardianship necessary for delivering related services to you. If it is necessary to collect the child's personal information for specific services, we will obtain your prior authorization and consent, and inform you of the purposes and use of the information collected. If you do not provide the information mentioned above, you will be unable to enjoy the related services that we provide. As the guardian, you should properly perform your guardianship duties and protect the personal information of the child. If the child needs to register or use our products and/or services, you should give appropriate instruction and let the child use our services under your guardianship.

(3) Children or their guardians have the right to access and correct the children's personal information at any time and may request us to correct or delete the information.

We have appointed dedicated personnel to take charge of the protection of children's personal information. If you have any comments, suggestions, complaints, or reports about children's personal information, please contact us via the contact information listed in the Privacy Policy. We will provide timely assistance.

9. Your rights to personal information

We attach great importance to your personal information and make all efforts to protect your rights to your personal information, except as otherwise required by laws and regulations. To ensure security, we may ask you to provide a written request or prove your identity in other ways. Usually, we will accept your request within 15 working days after receiving your reply and authenticating your identity. In principle, we will not charge for your reasonable request, but will charge for a certain fee to cover the cost for unreasonable or repeated requests. We may refuse the requests that are repeated for no reason, require too many technical means, bring risks to legitimate rights and interests of others, or are very infeasible.

(1) You may log on "My 12306" and enter the personal center, personal information or other functional modules at any time to access, modify or delete your account information, including personal data, authorization settings, security settings, My Passengers, password, e-mail address and ticket delivery address.

(2) You may cancel your 12306 Website account via the following path:

1) You may deregister the account by logging in to 12306APP: click "My" and then click "User Name"; or

2) You may cancel the account at nearby railway station counter with your valid ID document.

Once your 12306 Website account is canceled, we will no longer provide services for you, and will delete your personal information or anonymize it according to applicable laws, unless otherwise stipulated by laws or regulations.

(3) You may revoke your authorization by turning off some of the functions of your device. Or, you may revoke all authorizations to continue collecting your personal information by canceling your account.

(4)According to laws, regulations and national standards, we will not be able to respond to your request in any of the following cases:

1) When the request is related to our performance of obligations stipulated by laws and regulations;

2) When the request is directly related to state security and national defense security;

3) When the request is directly related to public security, public health and major public interests;

4) When the request is directly related to crime investigation, prosecution, trial and execution of judgment;

5) When there is sufficient evidence to show that you are subjectively malicious or abusing rights;

6) When it is necessary to safeguard the life, property and other major legal rights and interests of you or other individuals but it is difficult to obtain your consent;

7) When responding to your request will cause serious damages to legal rights and interests of you or other individual or organization;

8) When the request involves trade secrets.

10. Changes to this Privacy Policy

The content of this Privacy Policy may be modified from time to time to be adapted to the development of laws, technologies or business. The updated Privacy Policy will be posted on the 12306 Website and major changes will be notified to users through appropriate ways such as website announcements and user notification. Major changes referred to herein include:

(1) Major changes in our service modes, such as the purpose of personal information processing, the type of personal information processed and the use of personal information;

(2) Major changes in our ownership or organizational structure, such as changes in owners caused by business adjustments, bankruptcies or mergers;

(3) Changes in main objects of personal information sharing, transfer or public disclosure;

(4) Major changes in your rights to participating in personal information processing and the way in which you exercise the rights;

(5) Changes in the department responsible for handling personal information security, the contact information or the complaint channels;

(6) The existence of high risks proved by the personal information security impact assessment report.

When you use our Website, you may review our privacy policy at any time so that you can understand the changes. You may view the latest update date of this Privacy Policy at the "latest update" on the top of this Privacy Notice.

11. How to contact us

You may contact us via the following ways, and generally, we will accept and handle your request on personal information within 15 working days.

Tel.: 12306

E-mail: kyfw@12306.cn

If you are not satisfied with our reply and believe that our personal information processing has damaged your legal rights and interests, you can make a complaint to the 12306 customer service, or make a complaint or report to regulatory authorities in charge of cyberspace administration, telecommunications, public security, or industry & commerce, or file a lawsuit to the competent people's court.