Privacy notice

v3.0.5

Last reviewed June 2026

Legal entity processing data: Raileasy Ltd, registered at 10 Station Parade, Wanstead E11 1QF (referred to as ‘us’ in this document)

As a responsible company, the stewardship of your personal data provided to us is a top priority. As such, we feel it’s important that we detail what data of yours we handle, why we need it and – most importantly – how we keep it safe.

What data is collected, and why?

In order to fulfil your booking with a Raileasy-powered brand, we may need to collect the following PII (Personal Identifiable Information) from you:

Data Type

What data do we collect?

Why we need it

Basis for processing the data

Who handles this
  • Full name
  • Full physical address
  • Telephone number

 
  • Assist with payment processing
  • Pass through to industry systems for Ticket on Departure (ToD) fulfilment
  • Pass through to the reservations system, for sleeper bookings only (only name and telephone number)
  • Assist with support requests if you contact us
  • Us
  • Google Cloud (Google LLC)
  • Rail Delivery Group (ATOC Ltd) who control the Live Sales Management database for ToD bookings
  • If you make a sleeper reservation, Sqills Products B.V. who provide technology ("S3 Passenger") that supports rail reservations in Great Britain
  • Third-party support providers (at the time of writing, Help Scout PBC)
  • Third-party authentication system (customer name only), Firebase
  • Third-party payment provider (one of Stripe or Braintree and potentially additionally Apple Payments Services Limited or Google UK Limited if you use Apple/Google Pay)
  • Email address
  • User account management
  • To send service emails to you, such as booking confirmations, e-tickets and disruption emails
  • Newsletter-based marketing, if opted in.
  • Assist with support requests if you contact us
  • Collect customer reviews
  • Us
  • Google Cloud (Google LLC)
  • Third-party newsletter provider (at the time of writing, Spotler Limited)
  • Third-party support providers (at the time of writing, Help Scout PBC)
  • Third-party authentication system, Firebase
  • Third-party reviews provider (see below)
  • Payment card information
  • Assist with payment processing
  • Third-party payment provider (one of Stripe or Braintree and potentially additionally Apple Payments Services Limited or Google UK Limited if you use Apple/Google Pay)
    • We do not handle or hold the raw card details ourselves, in accordance with PCI-DSS guidelines

Technical data related to your visit such as:

  • IP address,
  • TLS Fingerprint
  • User-Agent
  • This allows us to assist with stopping bot traffic
  • Our CAPTCHA service providers (Cloudflare, ReCAPTCHA by Google LLC, hCaptcha by Intuition Machines Inc.)
  • Technical data related to your visit such as IP address, browser version and device details
  • This assists us with understanding issues with crashes and other technical failures you may experience whilst using our website and/or mobile apps
  • Our analytics provider Google Analytics (all frontends)/Firebase (mobile apps only)
  • Google Cloud (Google LLC)
  • Passwords
  • Email addresses
  • User agents
  • IP addresses
  • To manage customer accounts and authentication
  • Our authentication provider Firebase 
  • First name
  • Booking reference
  • Product descriptor (e.g. 'Train tickets from x to y')
  • To collect customer feedback that we can use to improve the service
  • Trustpilot A/S (registration number 30276582), Pilestraede 58, 5th Floor, 1112 Copenhagen K, Denmark

If you purchase a Railcard from us via https://railcards.trainsplit.com, we may also need to process the following information:

Data Type

What data do we collect?

Why we need it

Basis for processing the data

Who handles this

  • Full name

  • Email address

  • Assist with collecting information relevant to railcard purchasing and fulfilment 
  • Us
  • Google Cloud (Google LLC)

  • Rail Delivery Group (ATOC Ltd)

  • Photo

  • Allows visual verification that a railcard is being used by the authorised person(s)
  • Us
  • Google Cloud (Google LLC)

  • Information from identity documents (e.g. passport number, driving licence number)

  • Allows verification of details for issuance of railcards with specific eligibility requirements
  • Us
  • Google Cloud (Google LLC)

  • Payment card information

  • Assist with payment processing
  • Third-party payment provider (Stripe and potentially additionally Apple Payments Services Limited or Google UK Limited if you use Apple/Google Pay)
    • We do not handle or hold the raw card details ourselves, in accordance with PCI-DSS guidelines
  • Technical data related to your visit such as IP address, browser version and device details
  • This assists us with understanding issues with crashes and other technical failures you may experience whilst using our website and/or mobile apps
  • Our analytics provider Google Analytics
  • Our logging backend (Google Cloud)
  • Passwords
  • Email addresses
  • User agents
  • IP addresses
  • To manage customer accounts and authentication
  • Our authentication provider Firebase 

  • Technical data related to the device your railcard is stored on, such as UID and manufacturer/model number

  • Allow us to monitor railcard installations, assist with issues and enables technical compliance with device limits 
  • Us
  • Google Cloud (Google LLC)

Rail Delivery Group (ATOC Ltd) who acts as an independent Data Controller will use the data shared (full name and email address) for the purposes of fraud prevention and verification.

Where is my data handled and stored?

Your personal data is controlled by a UK-based company, so comes under UK GDPR laws and ICO guidelines. However, ourselves and partner organisations whom we pass your data through to may use trusted cloud storage providers with global locations (such as Google’s Cloud Platform and Amazon’s Web Services). All PII is stored within the UK/EEA with the exception of authentication/analytics data which is managed on our behalf by Firebase and Analytics which are both Google LLC services, and CAPTCHA services provided by Cloudflare / Google LLC / Intuition Machines Inc. The data transfer to US-based servers for these services is covered by the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework, as appropriate, and you can find out more about how this data is protected by Google (Firebase), Google (Other services: Analytics & ReCAPTCHA), Cloudflare and Intuition Machines (hCAPTCHA) on their websites as hyperlinked.

Can I opt out of data processing?

There are some scenarios where we collect data which is not regarded as either legitimate interest for processing or being required for the performance of a contract; you are usually able to opt out of this data being collected (for example, analytics, both general and specifically within the context of authorisation) by using the privacy options available in our web/mobile frontends.

What data security measures are in place?

Our cloud provider, Google, and ourselves use a range of both physical and digital protections to keep your personal data safe. In addition, we regularly run both semi-automated and manual checks on our digital infrastructure and periodic security reviews of third parties that process user data.

A note if you use third-party authentication providers such as Apple or Google

If you choose to use one of our third-party providers such as Apple or Google for signing in to your account with us, we only take a limited amount of personal data. Any data you provide to these platforms directly remains under their own data protection principles, and is subject to their own Privacy Policy as well as our own.

How do I remove my data from your systems?

At any time, you can ask us to remove or anonymise (as appropriate) any personal identifying information that we hold within our systems – please contact us if you’d like to do this. We will aim to do this in a timely manner, but within one calendar month at the latest.

Who do I ask if I’ve got questions or concerns on how my data is handled?

Raileasy’s Data Controller is:

Joe Sikking (management@raileasy.co.uk)

We take the security of your personal data seriously, so if you think there’s been a breach in trust in this for any reason, please contact our Data Controller using the details above in the first instance.

If, after contacting us, we’re unable to resolve your concerns to your satisfaction, you also have the right to make a complaint to the ICO.

You also have the right to a copy of all personally identifying data on yourself held by us in the form of a Subject Access Request (SAR) - if you would like us to do this, please contact us.