Skip to content
TrainOwed

Privacy Policy

Last updated: March 2026

1. Data Controller

TrainOwed ("we", "us", "our") is the data controller for personal information collected through this website and service.

Contact: privacy@trainowed.com

2. What Data We Collect

CategoryDataPurpose
Identity & ContactName, email addressClaim processing and status updates
JourneyRoute, date, delay length, operator, booking reference, ticket numberEligibility assessment and claim submission
FinancialBank details for compensation payoutTransferring awarded compensation
TechnicalIP address, browser/device info, pages visitedSecurity, fraud prevention, analytics (with consent)
UsageInteraction data (clicks, form submissions)Service improvement (with consent)

We do not collect special category data such as health information, biometrics, or political opinions.

3. Legal Basis for Processing (GDPR Art. 6)

  • Consent (Art. 6(1)(a)): Analytics cookies and marketing communications require explicit opt-in via cookie banner.
  • Contract / Pre-contractual Steps (Art. 6(1)(b)): Processing journey and identity data to handle the compensation claim you have requested.
  • Legal Obligation (Art. 6(1)(c)): Financial record-keeping where required by applicable law.
  • Legitimate Interest (Art. 6(1)(f)): Fraud prevention, security logging, and service improvement — marketing is excluded from this basis.

4. How We Use Your Data

  • Assess compensation eligibility under EU Regulation 2021/782 and UK Delay Repay schemes
  • Submit and manage your claim with the relevant train operator on your behalf
  • Correspond with the operator throughout the claims process
  • Send you status updates and communicate the outcome of your claim
  • Transfer awarded compensation to your bank account
  • Prevent platform fraud and abuse
  • Improve the service through anonymised analytics (consent-based)

We do not use your data for marketing purposes without your explicit consent. We do not profile you or use automated decision-making beyond what is needed to check claim eligibility.

5. Data Sharing & Recipients

Data sharing occurs only when necessary:

  • Train Operators: Journey and booking data is shared with the relevant operator to submit and pursue your claim. This is covered by the authorisation you grant us when you use the service.
  • Supabase (database): EU-hosted, bound by a Data Processing Agreement.
  • Vercel (hosting): Website hosting; edge functions may process requests globally with EU data safeguards in place.
  • Payment processors and email delivery services: Where used, bound by data processing agreements and permitted only to provide services to us.

We never sell your personal data or share it with advertisers or data brokers.

6. International Transfers

Data is primarily stored in the EU. Where processing involves transfers outside the EU/EEA, we rely on Standard Contractual Clauses approved by the European Commission or equivalent safeguards under UK GDPR.

7. Data Retention

  • Eligibility checks (no claim submitted): Deleted after 12 months
  • Submitted claims: Retained for 3 years after resolution (matching EU limitation periods), then securely deleted
  • Analytics data: Anonymised and aggregated — not individually linked

Earlier deletion is available upon request, subject to minimum retention required for legal and financial compliance.

8. Your Rights Under GDPR

  • Access (Art. 15): Request a copy of the personal data we hold about you
  • Rectification (Art. 16): Correct inaccurate or incomplete information
  • Erasure (Art. 17): Request deletion ("right to be forgotten")
  • Restriction (Art. 18): Limit how we process your data
  • Portability (Art. 20): Receive your data in a machine-readable format
  • Objection (Art. 21): Challenge processing based on legitimate interest
  • Withdraw Consent: At any time, without affecting prior lawful processing

Submit requests to privacy@trainowed.com. We will respond within 30 days.

9. Cookies & Analytics

Essential cookies: Strictly necessary for the service to function; no consent required.

Analytics cookies (optional): We use Google Analytics (GA4) and Google Tag Manager to collect anonymised, aggregated data (page views, device type, country) with your consent only. No advertising cookies or cross-site tracking pixels are used.

You can modify or withdraw cookie consent at any time via the cookie banner on our site or by clearing your browser cookies.

10. Security

Technical and organisational measures include TLS/HTTPS encryption in transit, encrypted database storage at rest, access controls with least privilege principle, and regular security reviews.

11. Children

Our service is not directed to individuals under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately.

12. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk. EU users may contact their national data protection authority.

13. Changes to This Policy

We update this policy periodically. The "last updated" date reflects the most recent revision. Material changes will be announced on this page.

14. Contact

For privacy-related requests or questions: privacy@trainowed.com