Rail Expertrail.expert

Privacy Policy

Last updated: 05.11.2025

1. Data Controller (Art. 13 GDPR)

Responsible for data processing:
Arthur Lehniger
Mahtra 23
13811 Tallinn
Estonia
Email: info@rail.expert

2. What Data We Collect and Process

2.1 Data You Provide When Using Our Service

When you search for train journeys, we process:

  • Journey search queries: Origin station, destination station, date, time, number of passengers, and class preference
  • Purpose: To retrieve and display available train connections from railway operators
  • Legal basis: Performance of a service you requested (Art. 6(1)(b) GDPR)
  • Storage: Search queries are processed in real-time and not permanently stored on our servers

2.2 Automatically Collected Technical Data

Our web server automatically collects:

  • Server logs: IP address, browser type and version, operating system, referrer URL, date and time of access, requested pages
  • Purpose: To ensure technical functionality, security, and troubleshoot errors
  • Legal basis: Legitimate interest in maintaining system security and functionality (Art. 6(1)(f) GDPR)
  • Retention: 30 days

2.3 Cookies and Local Storage

We use the following cookies:

  • Language preference cookie: Stores your selected language (e.g., “en” or “de”)
    Type: Functionality cookie
    Duration: 30 days
    Legal basis: Legitimate interest in providing a user-friendly experience (Art. 6(1)(f) GDPR)
  • Theme preference cookie: Stores your light/dark mode preference
    Type: Functionality cookie
    Duration: 30 days
    Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

You can delete cookies at any time through your browser settings.

3. Data Sharing with Third Parties

3.1 Railway Operator APIs

When you search for journeys, your search queries are transmitted to the following third-party railway operators to retrieve connection information:

  • Deutsche Bahn (DB) - Germany https://int.bahn.de/en/privacy
  • Österreichische Bundesbahnen (ÖBB) - Austria https://www.oebb.at/static/datenschutz/en/index.html
  • České dráhy (ČD) - Czech Republic https://www.cd.cz/en/info/cim-se-ridime/-31051/
  • Magyar Államvasutak (MÁV) - Hungary https://www.mavcsoport.hu/en/mav-szemelyszallitas/introduction/general-information
  • Polskie Koleje Państwowe (PKP) - Poland https://www.intercity.pl/pl/1848

Data transmitted: Station names, dates, times, and travel preferences
Purpose: To retrieve available train connections and pricing
Legal basis: Performance of a service you requested (Art. 6(1)(b) GDPR)
Note: These operators may process your data according to their own privacy policies. We recommend reviewing their respective privacy policies.

3.2 Currency Conversion Service

We use frankfurter.dev API to convert non-EUR prices to EUR for your convenience.
Data transmitted: Currency codes and amounts (no personal data)
Legal basis: Legitimate interest in providing price comparisons (Art. 6(1)(f) GDPR)

3.3 Hosting Provider

Our website is hosted by: Cloudflare
Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107

The hosting provider processes server logs and technical data as a data processor on our behalf.

5. Data Retention

  • Journey searches: Not stored permanently (processed in real-time only)
  • Server logs: 30 days
  • Cookies: 30 days (language preference), 30 days (theme preference)

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): Request information about what personal data we process
  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate data
  • Right to erasure (Art. 17 GDPR): Request deletion of your data
  • Right to restriction (Art. 18 GDPR): Request limitation of data processing
  • Right to data portability (Art. 20 GDPR): Request your data in a machine-readable format
  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent

How to Exercise Your Rights

To exercise any of these rights, please contact us at:
Email: info@rail.expert
We will respond to your request within one month.

Right to Lodge a Complaint

If you believe we are not processing your data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority:

Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or alteration. These include:

  • HTTPS encryption for all data transmission
  • Regular security updates and patches
  • Access controls and authentication mechanisms

8. Children's Privacy

Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

9. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will indicate the date of the last update at the top of this policy. Material changes will be communicated through prominent notice on our website.

10. Contact

For questions about this privacy policy or our data processing practices, please contact:

Arthur Lehniger
Mahtra 23
13811 Tallinn
Estonia
Email: info@rail.expert