Privacy Policy
Last Updated: January 2025
This Privacy Policy explains how we collect, use, and protect your personal data.
1. Introduction
Welcome to Refund My Rail Ltd ("we," "our," or "us"). We are committed to protecting your privacy and ensuring your personal data is handled safely and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy explains how we collect, use, and share your personal data when you use our website or mobile application (the "Service") to track rail delays and claim compensation.
2. Who We Are (The Data Controller)
Refund My Rail Ltd is the "Data Controller" of your personal data. This means we are responsible for deciding how and why your data is processed.
Company Name: Refund My Rail Ltd
Registered Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Company Number: 16886970
Contact Email: support@refundmyrail.co.uk
3. The Data We Collect
We collect different types of personal data depending on how you use our Service:
- Identity Data: First name, last name.
- Contact Data: Email address.
- Journey Data: Travel dates, departure/arrival stations, ticket photos, and delay details.
- Financial Data: Payment card information (processed securely through Stripe - we do not store your full card details on our servers).
- Technical Data: IP address, browser type, device information, and login data.
- Usage Data: Information about how you use our Service, including your subscription preferences, tracked routes, and claim history.
4. How We Use Your Data
We only use your personal data when the law allows us to. Most commonly, we use it in the following circumstances:
| Purpose | Type of Data | Lawful Basis for Processing |
|---|---|---|
| To register you as a new user | Identity, Contact | Performance of a Contract |
| To track and manage your delay claims and calculate potential compensation | Identity, Journey, Financial | Performance of a Contract |
| To manage our relationship with you (e.g. notifying you of changes) | Identity, Contact | Legal Obligation |
| To process payments and manage subscriptions | Identity, Contact, Financial | Performance of a Contract |
| To send you delay notifications and service updates | Identity, Contact, Journey | Performance of a Contract |
| To improve our website/app | Technical, Usage | Legitimate Interests (to keep our records updated and study how customers use our products) |
| To send marketing updates | Identity, Contact | Consent (See Section 5) |
5. Marketing and Service Updates
Marketing Communications
We keep you updated on new features, service improvements, and news about Refund My Rail Ltd only if you have explicitly agreed to receive these updates.
Lawful Basis: We rely on Consent for these communications. You must actively opt-in to receive them.
Opting Out: You can withdraw consent at any time by clicking the "unsubscribe" link in any email or updating your account settings.
Service Notifications
Even if you opt out of marketing, we may still send you essential messages related to your account (e.g., password resets, delay notifications, payment reminders, or updates on a claim you have submitted). These are necessary for the performance of our contract with you.
6. Disclosures of Your Personal Data
We do not sell your data to third parties. However, we may share your data with:
-
Service Providers: Companies who provide IT and system administration services:
- Stripe - Payment processing (PCI-DSS Level 1 certified)
- Render - Cloud hosting and infrastructure
- Upstash/Redis - Data storage and caching
- Gmail/SMTP - Email delivery services
- National Rail Darwin API: We query this service to obtain train delay data. We do not share your personal information with National Rail - we only send journey queries (dates, stations, times) to retrieve delay information.
- Professional Advisers: Lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
- HM Revenue & Customs & Regulators: Authorities who require reporting of processing activities in certain circumstances.
7. International Transfers
We are based in the UK. However, some of our external third parties (like cloud hosting providers and payment processors) may be based outside the UK. Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
- Where we use certain service providers, we may use specific contracts approved for use in the UK (Standard Contractual Clauses or the UK IDTA) which give personal data the same protection it has in the UK.
Specifically:
- Stripe: Processes payments and may transfer data to the United States. Stripe is certified under appropriate data protection frameworks.
- Render: Our hosting provider may process data in various locations. Render maintains appropriate data protection measures.
- Upstash/Redis: Data storage may be located outside the UK. Upstash maintains appropriate security and data protection standards.
8. Data Retention
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
- Account Data: Retained as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal purposes.
- Claim Data: Retained for 6 years for tax and legal audit purposes, in accordance with UK legal requirements.
- Financial Data: Payment transaction records are retained for 7 years as required by UK tax law.
- Marketing Data: Deleted or suppressed immediately upon your request to unsubscribe.
- Technical Data: IP addresses and technical logs are retained for up to 90 days for security and troubleshooting purposes.
9. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:
- Request access to your personal data (a "Subject Access Request").
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data (data portability).
- Withdraw consent at any time where we are relying on consent to process your personal data.
If you wish to exercise any of the rights set out above, please contact us at support@refundmyrail.co.uk. We will respond to your request within one month.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
10. Cookies and Tracking Technologies
We use essential cookies and session storage to provide our Service. These are necessary for:
- Maintaining your login session
- Remembering your preferences (such as dark mode)
- Ensuring the security of your account
We do not use third-party advertising cookies or tracking cookies for marketing purposes. You can control cookies through your browser settings, though this may affect the functionality of our Service.
11. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These include:
- Encryption of data in transit using HTTPS/TLS
- Secure password storage using industry-standard hashing (bcrypt)
- Regular security reviews and updates
- Access controls limiting who can access personal data
- Secure payment processing through Stripe (we never store your full payment card details)
We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
12. Children's Privacy
Our Service is not intended for children under the age of 18. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete such information.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.
We will also notify you via email of any material changes to this Privacy Policy if you have an account with us. You are advised to review this Privacy Policy periodically for any changes.
14. Contact Us
If you have any questions about this privacy policy or our privacy practices, please contact us:
Email: support@refundmyrail.co.uk
Post: Refund My Rail Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.