RailSlot
Launch app

title: "Privacy Policy" lastUpdated: "2026-05-22"

Privacy Policy

RailSlot Platform
Effective Date: December 8, 2025
Version: 1.0
GDPR Compliant

1. Introduction

RailSlot OÜ ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our railway capacity optimization platform ("Service").

Data Controller:
RailSlot OÜ (Estonia, registration in progress)
Address: Estonia
Email: erkin.zhusanbayev@railslot.io
DPO: [To be appointed]

Scope: This policy applies to:

  • Website visitors (www.railslot.io, app.railslot.io)
  • Service users (customers with accounts)
  • API clients (programmatic access)

2. Information We Collect

2.1 Information You Provide

Account Registration:

  • Full name, email address, phone number
  • Company name, VAT number, billing address
  • Job title, department

Service Configuration:

  • Railway routes monitored (origin/destination)
  • Alert preferences (email, SMS, webhook URLs)
  • Booking preferences (price thresholds, capacity types)

Payment Information:

  • Payment details are processed by Polar (polar.sh), our Merchant of Record. RailSlot does not store full card numbers.
  • Billing history, invoices

Communications:

  • Support tickets, emails, chat messages
  • Feedback, feature requests, survey responses

2.2 Information Collected Automatically

Technical Data:

  • IP address, browser type, device ID
  • Operating system, screen resolution
  • Referral source (how you found us)

Usage Data:

  • Pages visited, features used, time spent
  • API calls (endpoint, timestamp, response time, status code)
  • Search queries, filters applied

Cookies & Tracking:

  • Session cookies (authentication)
  • Analytics cookies (Google Analytics, Mixpanel)
  • Marketing cookies (LinkedIn Insight Tag, optional)

Geolocation:

  • Approximate location (city-level, from IP address)
  • Precise location (only if you grant permission for mobile app - not currently used)

2.3 Information from Third Parties

RNE (RailNetEurope):

  • Railway capacity availability data (public data)
  • Booking confirmations (if using our booking feature)

Infrastructure Managers (IMs):

  • Network topology (public timetables, track layouts)
  • Train positions (if integrated with IM APIs)

Payment Processor (Polar):

  • Payment success/failure notifications
  • Fraud risk scores

3. How We Use Your Information

3.1 Provide the Service

  • Account management: Authentication, access control
  • Capacity monitoring: Track availability, send alerts
  • Price predictions: ML model inference (anonymized data)
  • Reporting: Generate usage reports, ROI dashboards
  • API access: Process requests, enforce rate limits

3.2 Communicate with You

  • Transactional emails: Account confirmations, password resets, invoices
  • Service updates: New features, maintenance notifications, security alerts
  • Marketing (opt-in): Product announcements, case studies, webinars
  • Support: Respond to inquiries, troubleshoot issues

3.3 Improve the Service

  • Analytics: Understand feature usage, identify bugs
  • A/B testing: Experiment with UI changes (anonymized)
  • ML training: Improve price prediction accuracy (anonymized aggregated data)

3.4 Legal & Security

  • Fraud prevention: Detect suspicious activity, block abuse
  • Compliance: Fulfill legal obligations (GDPR, tax laws, court orders)
  • Intellectual property: Protect our rights (DMCA takedowns, litigation)

3.5 What We DON'T Do

  • Sell your data to third parties (never)
  • Share data with competitors (strict confidentiality)
  • Use for advertising (no ad network integration, no retargeting based on your capacity bookings)
  • Track across websites (no cross-site tracking beyond our domain)

4. Legal Basis for Processing (GDPR)

For EU users, we process data based on:

| Purpose | Legal Basis | Example | |---------|-------------|---------| | Provide Service | Contract performance (GDPR Art. 6(1)(b)) | You signed up, we deliver the service | | Billing | Contract performance | Invoice generation | | Marketing emails | Consent (Art. 6(1)(a)) | You checked "subscribe to newsletter" | | Analytics | Legitimate interest (Art. 6(1)(f)) | Improve platform, fix bugs | | Fraud prevention | Legitimate interest | Protect our business, other users | | Legal compliance | Legal obligation (Art. 6(1)(c)) | Tax reporting, court orders |

You can withdraw consent anytime (for marketing emails, use unsubscribe link).

5. Data Sharing & Disclosure

5.1 Service Providers (Processors)

We share data with trusted vendors:

| Vendor | Purpose | Data Shared | Location | |--------|---------|-------------|----------| | Scaleway | Hosting, database | All service data | France (EU) | | Vercel | Frontend CDN | IP, usage logs | Global (EU-first) | | Polar | Payments | Billing info | Per Polar privacy policy | | Mixpanel | Analytics | Usage events (anonymized) | US (DPA signed) | | SendGrid | Emails | Email address, name | US (DPA signed) | | Twilio | SMS alerts | Phone number | US (DPA signed) |

All vendors sign Data Processing Agreements (DPAs) ensuring GDPR compliance.

5.2 Business Transfers

If we are acquired, merge, or sell assets:

  • Your data may transfer to the new owner
  • We will notify you 30 days in advance
  • You can delete your account before transfer

5.3 Legal Requirements

We may disclose data if:

  • Court order or subpoena (we will notify you unless prohibited)
  • Law enforcement request (with valid legal basis)
  • Emergency: Prevent harm, fraud, or illegal activity

5.4 Aggregated Data

We may share anonymized, aggregated statistics publicly:

  • "50,000 capacity slots monitored in Q1 2026"
  • "Average price prediction accuracy: 87%"

No individual or company-specific data is shared.

6. Data Retention

| Data Type | Retention Period | Reason | |-----------|------------------|--------| | Account data | Active accounts: Indefinite | Service operation | | Deleted accounts | 30 days (then purged) | Recovery window | | Invoices | 7 years | Tax compliance (EU/NL law) | | Usage logs | 12 months | Debugging, analytics | | Support tickets | 3 years | Reference for recurring issues | | Marketing emails | Until unsubscribe | Opt-out honored immediately |

Right to erasure: You can request data deletion anytime (except legally required records).

7. Your Rights (GDPR - EU Users)

7.1 Access

Right: Obtain copy of your data
How: Dashboard → Settings → Export Data (JSON format)
Timeframe: Immediate (self-service) or 30 days (request to erkin.zhusanbayev@railslot.io)

7.2 Rectification

Right: Correct inaccurate data
How: Dashboard → Settings → Edit Profile
Timeframe: Immediate (self-service)

7.3 Erasure ("Right to be Forgotten")

Right: Delete your account and data
How: Dashboard → Settings → Delete Account (or email erkin.zhusanbayev@railslot.io)
Timeframe: 30 days (soft delete), then permanent deletion
Exceptions: We may retain data if required by law (invoices for 7 years)

7.4 Portability

Right: Export data in machine-readable format
How: Dashboard → Export (JSON, CSV)
Timeframe: Immediate

7.5 Object

Right: Opt out of:

  • Marketing emails (unsubscribe link)
  • Analytics cookies (browser settings, see Section 8)
  • Automated decision-making (currently not used)

How: Email erkin.zhusanbayev@railslot.io with "Object to processing"

7.6 Restrict Processing

Right: Temporarily limit how we use data (e.g., while disputing accuracy)
How: Email erkin.zhusanbayev@railslot.io
Timeframe: We will respond within 30 days

7.7 Complain

Right: Lodge complaint with supervisory authority
Lead Authority (Netherlands): Autoriteit Persoonsgegevens (AP)
Website: autoriteitpersoonsgegevens.nl

8. Cookies & Tracking

8.1 Cookie Types

| Cookie | Purpose | Duration | Required? | |--------|---------|----------|-----------| | auth_token | Session authentication | 30 days | ✅ Essential | | csrf_token | Security (CSRF protection) | Session | ✅ Essential | | _ga | Google Analytics | 2 years | ❌ Optional (analytics) | | _mixpanel | Mixpanel analytics | 1 year | ❌ Optional (analytics) | | li_fat_id | LinkedIn tracking | 30 days | ❌ Optional (marketing) |

Consent: Non-essential cookies require consent (banner on first visit).

8.2 Opt-Out Options

Browser settings:

  • Chrome: Settings → Privacy → Cookies
  • Firefox: Preferences → Privacy → Cookies
  • Safari: Preferences → Privacy → Block All Cookies

Do Not Track (DNT):
We respect DNT signals (disable analytics cookies if DNT=1).

Analytics opt-out:

9. International Data Transfers

Primary storage: EU (France, Netherlands)
Third-party services: Some vendors are US-based (Polar, Mixpanel, SendGrid)

Protection mechanisms:

  • Standard Contractual Clauses (SCCs): EU-approved contract ensuring GDPR compliance
  • Data Processing Agreements (DPAs): Signed with all US vendors
  • International transfers: Polar acts as Merchant of Record; see Polar's documentation for transfer safeguards.

Your rights remain unchanged even when data is transferred outside EU.

10. Security Measures

We protect data with:

Technical measures:

  • Encryption: TLS 1.3 (in transit), AES-256 (at rest)
  • Access control: Role-based permissions, 2FA available
  • API security: Rate limiting, API key rotation
  • Monitoring: Intrusion detection, automated alerts

Organizational measures:

  • Employee training: Annual security awareness program
  • Background checks: All engineers vetted before access
  • Incident response plan: Breach notification within 72h (GDPR requirement)
  • Audits: Annual penetration testing, quarterly security reviews

No system is 100% secure. You acknowledge inherent risks of internet transmission.

11. Data Breach Notification

If we discover a breach affecting your data:

Step 1: Containment (Within 1 hour)
Stop the breach, secure systems

Step 2: Assessment (Within 24 hours)
Determine scope, impact, affected users

Step 3: Notification (Within 72 hours - GDPR requirement)

  • Supervisory authority: Dutch DPA (Autoriteit Persoonsgegevens)
  • Affected users: Email with details (what happened, what data, what we're doing)
  • Public disclosure: If >1,000 users affected

What we tell you:

  • Nature of breach (e.g., "unauthorized access to database")
  • Data affected (e.g., "names and email addresses, no payment info")
  • Actions taken (e.g., "patched vulnerability, reset passwords")
  • Recommended actions (e.g., "change your password")

12. Children's Privacy

Service is B2B only (not intended for individuals under 18).

If we learn a child under 18 registered:

  • We will delete the account immediately
  • Parents/guardians: Contact erkin.zhusanbayev@railslot.io

13. Changes to This Policy

We may update this policy:

  • Notice: Email + banner on dashboard (30 days before changes take effect)
  • Material changes: Explicit opt-in required (e.g., new data sharing partners)
  • Version history: Previous versions available at app.railslot.io/privacy-history

Continued use after 30 days = acceptance.

14. Contact & Data Protection Officer

Privacy inquiries:
Email: erkin.zhusanbayev@railslot.io
Address: RailSlot Technology B.V., Estonia

Data Protection Officer (DPO):
[To be appointed - required if we process >250 employees' data or high-risk data]
Email: erkin.zhusanbayev@railslot.io

Response time: 30 days (or 90 days if complex request, with explanation)

15. Your California Privacy Rights (CCPA)

If you are a California resident:

Right to know: What data we collect, how we use it, who we share with (see Sections 2-5)

Right to delete: Request deletion (same as GDPR erasure, Section 7.3)

Right to opt-out of sale: We do NOT sell personal information (never have, never will)

Right to non-discrimination: We will not discriminate if you exercise privacy rights

How to exercise: Email erkin.zhusanbayev@railslot.io with "CCPA Request"

Verification: We may ask for additional info to verify your identity (prevent fraudulent requests)

16. Definitions

Personal Data: Information that identifies you (name, email, IP address, etc.)

Processing: Any operation on data (collection, storage, use, disclosure, deletion)

Data Controller: RailSlot (decides why/how data is processed)

Data Processor: Vendors who process data on our behalf (Polar, Scaleway, etc.)

DPA: Data Processing Agreement (contract ensuring GDPR compliance)

Acceptance:
By using the Service, you acknowledge that you have read and understood this Privacy Policy.

Last Updated: December 8, 2025
Version: 1.0 (Initial release)

Related Documents: