Privacy Policy

Railed is the data controller responsible for personal data covered by this Policy. We act as controller for personal data about our users, prospects and website visitors.

If you have any questions about this Policy or how we use your personal data, you can contact us using the contact details published on our website.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.

This Policy applies to:

• visitors to our website; and
• users who create an account and use the Service.

3.1 Data you provide to us

• Account and profile data: name, email address, password, job title/role, company name, and any other information you include in your profile or communications with us.
• Payment data: details of compensation paid to you, including amounts, dates and payment method information.
• Support and communications: information you provide in emails, support requests and other communications with us.
• Marketing preferences: your choices about receiving marketing and product update communications.

Payment card details are collected and processed directly by our payment processor (Stripe). We do not store your full card details.

3.2 Data we collect automatically

When you visit our website or use the Platform, we automatically collect:

• Usage data: pages visited, features used, actions taken, timestamps, and similar information about how you interact with our website and Platform.
• Log data: IP address, browser type and version, operating system and device information, referral URLs, and error logs.
• Cookies and similar technologies: small files placed on your device to enable core functionality (e.g. login sessions), analytics and (where applicable) marketing. See section 6 (Cookies and analytics).

We use tools including PostHog to help us understand how users interact with the Platform.

3.3 Data we access and process on your behalf

When you use the Service, and with your permission, we access and process data on your behalf to identify eligible delays and file Delay Repay claims. This includes:

• Email inbox access: we access your email inbox to detect train ticket purchases and booking confirmations.
• Ticket and booking data: details of your train tickets, including journey dates, times, routes, ticket types and fares.
• Journey data: information about your train journeys, including departure and arrival times and delay information obtained from rail data sources.
• Delay Repay claim data: information submitted in Delay Repay claims filed with train operators on your behalf, and any correspondence or responses from those operators.
• Compensation data: amounts received from train operators on your behalf.

We access this data only to the extent necessary to provide the Service and do not use it for any other purpose without your consent.

We do not intend to collect special categories of personal data (e.g. health, biometric or political data). Please do not submit such data to us.

Where we act as a controller, we use personal data for the purposes and on the legal bases summarised below.

Where we rely on legitimate interests, we balance our interests against your rights and freedoms and implement safeguards where appropriate.

Where we rely on consent (for example, for certain marketing communications or non-essential cookies), you may withdraw your consent at any time using the methods described in this Policy.

Some features of the Platform may involve using AI models to analyse or transform data (for example, to generate insights or summaries).

• Where we use third-party AI providers, we do so in line with the terms and data-use policies of the platforms from which the relevant data originates and our agreements with those providers.
• We do not use Customer Data to train general-purpose AI models in a way that would allow data from one customer to be exposed to other customers.
• We do not engage in automated decision-making that produces legal or similarly significant effects on individuals solely based on automated processing.

We use cookies and similar technologies to:

• enable core site and Platform functionality (e.g. login, session management, security);
• understand how visitors and users interact with our website and Platform (analytics);
• support marketing and advertising activities, including via third-party platforms such as Meta, Google Ads and TikTok.

Under the Privacy and Electronic Communications Regulations (PECR) and UK GDPR, non-essential cookies (such as analytics and advertising cookies) typically require consent, while strictly necessary cookies for providing an online service you request do not.

In practice this means:

• Essential cookies are set to provide the website/Service (for example, to keep you logged in and keep requests secure).
• Analytics and advertising tags should only operate with your consent, which we obtain via appropriate mechanisms (for example, a banner or similar control) where required by law.
• You can also control cookies through your browser or device settings and, where applicable, through our cookie settings interface.

More detailed information about the specific cookies and tools we use may be provided in a separate cookie notice.

We share personal data with:

• Infrastructure and hosting providers: e.g. cloud providers such as AWS and Google Cloud, used to host and run the Platform.
• Product and analytics tools: e.g. PostHog (product analytics).
• Email and communication tools: e.g. Postmark and Google Workspace for sending and receiving emails and notifications.
• Payment processor: Stripe, which processes payments and related data.
• Professional advisers: such as lawyers, accountants and auditors, where necessary for our legitimate interests and legal obligations.
• Authorities and regulators: where required by law, regulation or court order, or to protect our rights or those of others (for example, to prevent fraud or security incidents).

We require our service providers to handle personal data only in accordance with our instructions, under appropriate contracts, and to implement suitable security measures.

We do not sell personal data.

We aim to store and process personal data primarily in the UK (and where appropriate, the EEA).

If we need to transfer personal data outside the UK/EEA (for example, where a service provider operates or stores data in another country), we will ensure that appropriate safeguards are in place, such as:

• an adequacy regulation; or
• standard contractual clauses or equivalent mechanisms approved under UK data protection law.

You can contact us for more information about such transfers.

We retain personal data for as long as necessary for the purposes described in this Policy, including to comply with legal, accounting and reporting requirements. In general:

• Customer account and billing data: retained for the duration of the customer relationship and typically for up to 6–7 years afterwards, to comply with tax and accounting obligations and to maintain records of contracts and transactions.
• User account data: retained for as long as the user’s account is active. If an account is closed, we may retain limited information (such as email address, role and activity logs) for a reasonable period (for example, up to 3 years) for security, record-keeping and dispute resolution.
• Marketing data: retained for as long as you remain subscribed to our marketing communications and for a reasonable period afterwards (for example, up to 2 years) to record your preferences and prove compliance.
• Logs and security data: retained for a period appropriate for security and troubleshooting purposes (for example, typically up to 12–24 months, unless longer is needed for an investigation).
• Customer Data (as processor): retained for the duration of the contract and for a limited period afterwards (for example, up to 90 days) to allow export and account closure, after which we will delete or anonymise such data, subject to any legal obligations requiring longer retention.

We may retain anonymised or aggregated data that does not identify individuals indefinitely.

We take appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (e.g. HTTPS/TLS) and at rest, where applicable;
• access controls and authentication for staff and systems;
• role-based access, restricting access to personal data to personnel who need it for their role;
• secure development and deployment practices, including regular patching and updates;
• monitoring for unusual activity and abuse;
• contractual obligations of confidentiality with staff and service providers.

No system is perfectly secure, but we work to reduce risks and respond promptly to incidents. If we become aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected customers and, where required, the ICO and/or other authorities.

Subject to applicable law, and typically where we act as a controller, you have the following rights in relation to your personal data:

• Right of access – to obtain confirmation as to whether we process your personal data and to request a copy.
• Right to rectification – to request that inaccurate or incomplete data be corrected.
• Right to erasure – to request deletion of your personal data, in certain circumstances.
• Right to restriction – to request that we restrict processing in certain circumstances.
• Right to data portability – to receive personal data you provided to us in a structured, commonly used format and to ask us to transfer it to another controller, where technically feasible.
• Right to object – to object to processing based on legitimate interests and to direct marketing, at any time.
• Right to withdraw consent – where we rely on consent, you may withdraw it at any time (this will not affect the lawfulness of processing before withdrawal).

You can exercise these rights by contacting us through the channels published on our website. We may ask for information to verify your identity before responding.

Where we process Customer Data as a processor, we may need to refer your request to the relevant customer (the controller), who is responsible for responding.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO). Details of how to do so are available on the ICO's website.

We may send marketing emails and product updates to registered users:

• where you have opted in to receive them; or
• where permitted under applicable law based on our legitimate interests in promoting our services to existing or prospective users, subject to your right to opt out at any time.

You can unsubscribe:

• by clicking the “unsubscribe” link in any marketing email; or
• by contacting us using the details published on our website.

We will continue to send service and transactional communications (such as notices about your subscription, security alerts and significant product updates) even if you opt out of marketing.

Our Service is intended for business use by adults and is not directed at children under 18. We do not knowingly collect personal data from children. If you believe that a child under 18 has provided us with personal data, please contact us and we will take steps to delete it.

We may update this Privacy Policy from time to time. If we make material changes to how we use personal data, we will take reasonable steps to notify you (for example, by email or via the Platform) and will update the "Last updated" date at the top of this Policy.

We encourage you to review this Policy periodically to stay informed about how we use personal data.