This privacy notice was last updated: October 2025
This privacy notice tells you what to expect when Heathrow Airport Limited (“Heathrow”) collects personal information about you when you use any Commercial Service offered by Heathrow, these include (but are not limited to):
Heathrow is committed to protecting your personal information when you use the Commercial Services. Whenever you provide such information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal data, including the UK General Data Protection Regulation (“UK GDPR”). Your information will be kept in a secure environment and access to it will be restricted according to the “need to know” principle.
Depending on the Commercial Service you use, we may collect the following information about you:
Heathrow will use your personal data for number of purposes including the following:
| Use of Data |
Purpose |
Justification |
|---|---|---|
| To provide the Retail Services to you | Contract |
We collect information to provide the Reserve & Collect Service to enable you to reserve products listed on the Website and to enable the delivery of the reserved products to you at either a retailer’s store at Heathrow Airport or to a Heathrow operated collection desk at Heathrow Airport for purchase from third party retailers and collection. For each third-party retailer who concludes a sale of a reserved product at a Heathrow operated collection desk only (and has no physical retail store at Heathrow Airport), more information on each such retailer’s privacy policy can be found here: We collect information to provide you with the Reserve and Collect (payment in advance) service. This is to enable you to reserve and pay for products online and collect at the airport. While we handle the fulfilment and service, your purchases with the Retailer will be processed by the relevant retailer.
To understand how Stripe as controllers process and share your information with payment providers please visit the following privacy notices: Stripe privacy center. We collect information to provide the Personal Shopper Service to enable you to pre-book this service on the Website and to enable you to use this service in person in the designated lounges at Heathrow Airport to reserve products and services for purchase from third party retailers. For more information: https://boutique.heathrow.com/en/personal-shopper We collect information to provide the Collect on Return service to enable you to store your purchases with us and collect on your return journey back to Heathrow. For more information: We collect information to provide the Returns Promise service to enable you to return faulty or unwanted good on behalf of Heathrow retailers within 60 days of purchase and subject to the terms and conditions. The Heathrow Returns Promise operates in parallel with the Retailers’ own existing returns policy. For more information: We collect information to provide the Terminal Shopping Transfer service to enable you to book and shop at brands located in terminals which are not in your departing terminal accompanied by Operator personnel for the express purpose of shopping. For more information: We collect information to provide the Home Delivery service to enable you to shop in Heathrow’s retailers and request for your purchases to be delivered to your UK home address. For more information: |
| To provide the Heathrow Rewards Loyalty Programme to you | Contract/Consent |
This includes providing updates and information as well as logging your activities within Heathrow Rewards. Approved third parties may process the data in certain circumstances, for example, refunds of Heathrow Rewards points when a purchase has been returned. As the refund process is managed separately from the till/transaction location, in order to process the deduction of points after a refund has been made, Heathrow uses the third party to manage the process on our behalf. The lawful justification for collecting and using your personal data for implementation of the rewards scheme is that it is necessary for providing the Heathrow Rewards loyalty programme which you contractually enter into. We may send you competitions or prize draws if you have consented to sign up to our campaigns. Where you enter a competition or prize draw, we will process your data for the purposes of administering and managing the competition or prize draw. The lawful justification for collecting this data is based on the contract you enter. It is necessary for the performance of the relevant competition or prize draw which you contractually enter into. Failure to provide mandatory data fields denoted by a ‘*’ will mean that we will not be able to enter you into the relevant competition or prize draw. |
| To provide you with the Heathrow Wi-Fi service | Contract | We will be unable to form a contract and provide you with Heathrow’s Wi-Fi Services without collecting and using your personal data. |
| To follow up your enquiry or request via our Customer Service Team, to keep a record of any actions and engagement of our responses | Legitimate Interest/ Consent |
Heathrow has a legitimate interest for processing your personal data in order to respond to any customer service enquiries. Where you give us your consent, we will use sensitive data to investigate any concerns in relation to assistance or safety enquiries. Where you have provided us with a Customer Service Survey (CSAT) response we will process your results accordingly. We may utilise Einstein GPT to aid customer service agents in addressing your enquires, for more information please see: Privacy Policy - Salesforce.com. We use a variety of contact channels such as webforms, telephone, letters, live chat, WhatsApp and social media platforms such as Twitter, Facebook and Instagram. We may use these channels to respond to your enquiry, depending on how you have chosen to interact with us. |
| To provide the Terminal Drop-Off Charge service | Contract/Legitimate Interest/Consent |
To provide the Terminal Drop-Off Charge service, Heathrow will collect your VRM via Automatic Number Plate Recognition (“ANPR”) and CCTV. This information will then be passed on to APCOA, who manage the process of forecourt access including the enforcement of the program. Heathrow will only collect first name, last name, and email address of users who consent to their details being used for marketing purposes, this information will be collected by APCOA on our behalf and transferred to our marketing agents. The lawful basis for our processing of your vehicle registration data is based on it being necessary to perform our contract with you permitting the use of a vehicle at Heathrow Airport for use of the forecourt. Heathrow also relies upon legitimate interests in connection with data processed in connection with TDOC. The terms and conditions are set out on the signage located around the site and online: https://www.heathrow.com/terms-and-conditions/terminal-drop-off-charge-terms-and-conditions We also utilise ANPR (Automatic Number Plate Recognition) data to support our sustainability goals, including reporting on surface access carbon emissions and understanding vehicle usage. The data collected includes vehicle registration numbers collected from ANPR cameras; this information is shared with the DVLA to gain further insight about the vehicle and emission type. By processing this data, we are actively contributing to a cleaner environment and fostering sustainable practices. If you would like to opt out of this processing, please contact: ANPRdata@heathrow.com. We will make every reasonable and proportionate effort to fulfil your opt-out request. Please note that your data is retained for 31 days before being permanently deleted from our systems. To ensure an effective search and increase the likelihood of processing your request within the retention period, we require a minimum of 10 working days before expiry. Therefore, we strongly recommend submitting your opt-out request as early as possible. |
| To provide the Heathrow Parking, Fast Track, Meet & Assist, Porters and Airport Lounges Services | Contract | We will be unable to form a contract and provide you with Heathrow Services without collecting and using your personal data. This information is also required to provide you with service information and to respond adequately to potential enquiries in relation to your booking. |
| Heathrow collects information on your usage of the Heathrow Photo and Video Asset Platform to see who is using the site and how the content is being used | Contract and Legitimate Interest | The lawful justification for collecting and using your personal data is that it is necessary for the performance of the Heathrow Photo and Video Asset Library which you contractually enter into. Heathrow has a legitimate interest to ensure that the content is being used correctly. |
| To provide the Heathrow VIP Service to you | Contract | We collect your personal information when you use our VIP service. The lawful basis we rely on is contract to ensure we are able to fulfil the service, provide you with service information and to respond adequately to potential enquiries in relation to your booking. |
| To send you marketing communications about the Website, the Commercial Services, and any other Heathrow products and services, as well as information | Consent |
When you purchase a Heathrow or Heathrow Express product, use one of our services or engage with our retail partners, we may send you marketing communications where we have your consent to do so. These communications aim to inform you about latest updates, promotions and exclusive offers, or simply to inform you of the range of services available to enhance your experience when visiting Heathrow or using our online platforms. We may combine the data we collect with other information we hold about you if you have used our products and services before, or if you have provided your Heathrow Rewards account number when purchasing from our retail partners. This processing is conducted where we have a legitimate business interest. We may also analyse our marketing communications, including how they are received, to evaluate campaign effectiveness and to learn from customer engagement. This helps us better understand our customers’ preferences when interacting with Heathrow and our partners’ products and services. As a result, we can continue to provide ever more relevant content and services, with the aim that our communications are meaningful and that your journey experience is improved. You have full control over how we use your data for marketing purposes. If you no longer wish to receive marketing communications, you can update your marketing preferences at any time by:
or
|
| We may share your name and email address with selected partners at Heathrow Airport, including World Duty Free, who will use your personal data to send marketing communications to you | Consent | We may share your name and email address with selected partners at Heathrow Airport, including World Duty Free, who will use your personal data to send marketing communications to you. We will only do this where you give us your clear consent to do so. For more information on how World Duty Free process your information please see their privacy notice here. |
| To provide you with the Heathrow App. |
Legitimate interest/ Consent |
Where you input your flight details/scan your boarding pass, we have a legitimate interest to process this information and provide you with up-to-date flight and operational information. Where you sign into your reward account on the app, we would process your email alongside your first and last name. To provide you with the opportunity to book and use our Heathrow Commercial Services we would process your personal data in relation to the bespoke service. For more information, please see the commercial services outlined above. To provide you with navigation via our wayfinding feature. Where we have your consent to do so we would process your location and Bluetooth to navigate you to your destination. Where you have provided us with your consent to use your location, to send push notifications and to send you marketing communications we will send you push notifications by capturing your IP address, Device ID and other similar online identifiers to send you personalised content based on your location. This includes promotional material and will only be sent if we have your consent to do so. Other push notification communications include service messaging to make you aware of any disruption to our services. We use affiliate tracking links to ensure you are referred to the right place by analysing referral traffic from our third parties that provide the commercial services. We only do this where we have your consent, if you would prefer not to be part of this you can opt out at any time on the Heathrow App via settings. You are always in control of how we use your personal data. If you don't want to receive marketing communications from us, you can change your marketing preferences at any time by contacting privacy@heathrow.com. Alternatively, you can manage or update your consent via the settings on the app at any time. |
| To provide the My Heathrow platform | Contract | My Heathrow online account provides seamless access to all Heathrow services. We process your data to enable a single sign-on with multi-factor authentication and security, ensuring access to your My Heathrow account dashboard which displays your orders/bookings, account history and other account details. |
| Competitions | Contract/Consent |
We may send you competitions or prize draws if you have consented to sign up to our campaigns. Where you enter a competition or prize draw, we will process your data for the purposes of administering and managing the competition or prize draw. The lawful justification for collecting this data is based on the contract you enter. It is necessary for the performance of the relevant competition or prize draw which you contractually enter into. |
You are always in control of how we use your personal data and can opt out of marketing communications during and after the booking process. You can change your marketing preferences at any time or unsubscribe from Heathrow marketing communications by visiting ‘My Account’ or by clicking ‘Unsubscribe’ on the footer of a Heathrow Commercial Services marketing email. You have the right to object to this processing which you can exercise by contacting privacy@heathrow.com. Please note that if you object, this may affect our ability to send personalised marketing communications to you.
Your information may be stored, handled, managed and/or used by the following recipients in order to deliver the Commercial Services:
We will not transfer or disclose your personal information, other than as identified in this privacy notice or otherwise except to our trusted third-party partners, to the police, tribunals, courts, regulators, or other authorities to assist them with their investigations or requests or for us to report security incidents or suspected or actual unlawful acts and/or as may be otherwise required by law.
All information identified in this privacy notice is processed in the UK and the EEA in exception to your information relating to our trusted partners (i.e. airline frequent flyer programs) who may transfer your information overseas to fulfil your Heathrow Rewards points conversion to the corresponding currency. Where we are responsible for your personal data, we always ensure that your information remains protected and secure when being transferred.
Your account information in respect of all Commercial services other than the listed below will be retained for a period of three years from the date of your last interaction after which your personal data will be anonymised.
Your Heathrow Wi-Fi account information will be retained for a period of 15 days from the date of your last Wi-Fi login at which point all of your personal details are removed from our systems.
Heathrow will retain information in relation to CCTV/ANPR data for a period of 31 days from the date of your drop off after which point it will be deleted.
Blue badge details provided for the Terminal Drop Off Service will be retained for a period of 14 days after this your data will be deleted.
Under the UK General Data Protection Regulation, you have the right to:
• Be informed as to how your data is being processed;
• Access your personal data by making a subject access request;
• Rectification, erasure or restriction of your information where this is justified; • Object to the processing of your information where this is justified;
• Where applicable, you have rights in relation to data portability; and
• Where applicable, you have rights in relation to automated decision making.
To exercise your rights, please contact the Heathrow data protection officer using the following contact details:
Data Protection Officer
Heathrow Airport Limited
The Compass Centre
Nelson Road
Hounslow
Middlesex
TW6 2GW
Email: privacy@heathrow.com
Should you find our response unsatisfactory, you have the right to lodge a complaint with the supervisory authority – the Information Commissioner’s Office (“ICO”). You can find more information on the ICO website at https://ico.org.uk/concerns/ regarding the complaints process.
A new era has begun for the UK and EU now that the Brexit transition period is over. From time to time, we may process personal data from EU residents. Whenever applicable, we have appointed an EU Representative to ensure that we continuously process your personal data in compliance with applicable laws and without undermining your statutory rights. You can contact our EU Representative at HeathrowEURepresentative@eversheds-sutherland.com and write EU Representative as subject matter.
You may also contact our EU Representative per post mail at:
Eversheds Sutherland Netherlands B.V.
Attn. EU Representative Heathrow Airport
Fascinatio Boulevard 212
Floor 2A
3065 WB Rotterdam
Cookies are small text files which are stored on your computer when you visit certain web pages. At Heathrow we use cookies to understand how our sites are used which helps us to improve your overall online experience. Some of the cookies we use are necessary for some of our sites to work whilst other cookies are used to provide tailored advertising by trusted third parties. To find out more about cookies, visit www.aboutcookies.org.
Heathrow uses the following types of cookies on our websites:
Strictly Necessary |
|||
Cookie |
Operator |
Duration |
Purpose |
| __cf_bm | Cloudflare | 1 day | Used to maximize network resources, manage traffic, and protect our customers’ sites from malicious traffic and Bot detection. |
| __cq_dnt dw_dnt dwsid sid |
Salesforce Commerce Cloud | Session | Essential in order to provide a good shopping experience, enabling customers to place orders and manage Salesforce Cookie consent. |
| dwanonymous_* | Salesforce Commerce Cloud | 180 Days | Used to identify repeat customers and save settings and repeat information. |
| utag_main CONSENTMGR |
Tealium | 365 Days | Required for cookie and tag consent management |
| AWSALB AWSALBCORS AWSALBTG AWSALBTGCORS |
Adobe AEM and Amazon Web services | 1 week | These are used for Load balancing to ensure our hosting can cope with website demand. |
1st Party Performance |
|||
Cookie |
Operator |
Duration |
Purpose |
|
AMCV_* AMCVS_* gpv_pn gpv_url s_cc s_vi |
Adobe Analytics |
13M Session Session Session Session |
These first party cookies are used to measure the performance of our websites and enable us to improve content and functionality. They are not used for any targeting or identification purposes and will not result in you seeing adverts. |
|
at_check mbox |
Adobe Target |
Session 13M |
These first party cookies are used for a/b testing on our website to find the best content and layout. They are not used for any targeting or identification purposes. |
3rd Party Performance |
|||
Cookie |
Operator |
Duration |
Purpose |
|
_cs_c _cs_id _cs_cvars _cs_s _cs_mk |
Contentsquare |
Session 13M 13M 13M
|
These cookies are used to provide our users with a better experience, identify technical issues and monitor and improve the overall performance of our site. They are not used for any targeting or identification. |
Functionality |
|||
Cookie |
Operator |
Duration |
Purpose |
|
__stripe_mid __stripe_ |
Stripe |
13M
|
Stripe sets these cookies as a unique session identifier to recognize users and provide payment functionality across sessions. |
Targeting & Advertising |
|||
Cookie |
Operator |
Duration |
Purpose |
| _fbp &others |
13M | Used to measure performance of Facebook advertising. This will result in Facebook showing personalized ads through retargeting. | |
|
_gcl_au _gcl_aw _gcl_dc _gcl_gs GCL_AW_P GCL_DC_P __Secure-1PSID __Secure-3PSIDCC __Secure-3PSIDTS |
From 1 day to 13 Months | Used to measure performance of Google advertising. This will result in Google knowing you visited Heathrow sites and potentially show relevant and personalized ads through retargeting. | |
| ar_debug | Doubleclick | 1 Year | This cookie is used by Google Ad Services/DoubleClick to resolve issues with advertisement. |
|
_uetsid _uetvid MSPTC MUID |
Microsoft Bing Ads | From 1 day to 1 Year | Used by Bing Ads to track visits across websites, measure advertising performance and retarget relevant and personalised ads. |
|
d Mc _qca |
Quantserve | Used to measure display advertising performance and advertising measurement as well as retargeting. | |
|
ORA_FPC oinfo oid |
Oracle | 730 Days | Used for Advertising measurement and retargeting. |
Personalisation |
|||
Cookie |
Operator |
Duration |
Purpose |
|
_evga_* _sfid_ |
Salesforce Personalisation |
13M
|
Used to deliver tailored content, product recommendations and offers on our websites. They will recognise repeat visits and show more relevant content. |
Heathrow uses the following types of cookies on our websites:
Strictly necessary - These cookies are essential for our websites to work and without these cookies, some services you have asked for cannot be provided.
Performance - These cookies are used to collect anonymous information about how you use our websites. This information is used to help us continually improve our websites and understand how effective our adverts are. You can opt-out of these cookies by managing your preferences above.
Functionality - These cookies are used to provide services or remember settings to enhance your visit for example text size or other preferences. You can opt-out of these cookies by managing your preferences above.
Targeting and Advertising - These cookies are used by trusted third parties to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of the advertising campaign. You can opt-out of these cookies by managing your preferences above.
Personalisation - These cookies help us to show you the most relevant content based on your interaction with our website. You can opt-out of these cookies by managing your preferences above.
Alternatively, you can set your browser to restrict, block or delete cookies from Heathrow and our third-party advertisers, or any other website. Each browser is different, so check the 'Help' menu of your particular browser to learn how to change your cookie preferences. If you choose to disable all cookies, we cannot guarantee the performance of our websites and some features may not work as expected.
Links to other websites - This privacy notice does not cover the links within this site to third-party websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice - We will keep this privacy notice under regular review, and we will place any updates here. At the start of this privacy notice, we will tell you when it was last updated.
