Privacy Policy — Train Badger

Effective date: 1 March 2026

1. Who we are

Train Badger is a UK train departure app. The data controller is Train Badger, contactable at [email protected].

2. Data we collect

Data	Purpose	Storage
Email address	Account authentication	Server database
Password	Account authentication	Stored as bcrypt hash only — plaintext never retained
Auth tokens	Session management	Stored as SHA-256 hash — plaintext held only on your device
APNs device token	Push notifications for train status changes	Server database, linked to your account
Pinned service IDs, origin/destination station codes	Service monitoring and push notifications	Server database
Journey history (route, scheduled/actual times, operator, delay minutes, cancellation reason)	Calculating Delay Repay eligibility and surfacing eligible claims	Server database — automatically deleted after 28 days
Season ticket details (route, price, duration type, expiry date)	Estimating Delay Repay compensation amounts and sending renewal reminders	Server database — retained while your account is active
Saved train preferences (route, scheduled time, operator, days of week)	Automatically monitoring your regular trains and sending delay notifications	Server database — retained while your account is active
Approximate location (on-device only)	Detecting when you are near your station to auto-track commute trains (Pro, opt-in)	On-device only — never sent to server
Motion activity data (on-device only)	Detecting when you board a train to improve automatic commute tracking accuracy (Pro, opt-in)	On-device only — never sent to server

We do not collect analytics, advertising identifiers, or cookies. Location data is processed entirely on-device — coordinates are never sent to our server.

3. How we use your data

• Authentication and session management
• Delivering push notifications about train status changes you've opted into (pinned services)
• Querying National Rail departure data on your behalf
• Calculating Delay Repay eligibility for journeys you have tracked
• Estimating Delay Repay compensation based on your season ticket details
• Sending season ticket renewal reminders (if enabled)
• Automatically monitoring your saved trains and sending delay or cancellation notifications
• Detecting when you are near your regular station (on-device) to automatically track your commute train for delay notifications
• Detecting when you board a train (on-device) using motion data to improve automatic commute tracking accuracy

4. Third parties

Third Party	Data Shared	Purpose
National Rail Darwin	Station codes, service IDs (no user-identifying data)	Train departure and service data
Apple Push Notification service (APNs)	Device token, notification content	Delivering push notifications to your device
Resend	Email address	Sending password reset emails
Cloudflare Turnstile	IP address, browser challenge token	Bot protection on the support contact form

No data is sold, shared for advertising, or transferred to any other third parties.

5. Data retention

• Account data retained while your account is active
• Pinned services automatically deleted after 8 hours
• Journey history automatically deleted after 28 days (aligned with the standard Delay Repay claim window)
• Auth tokens expire after 30 days
• You can delete your account at any time (see section 7), which immediately and permanently removes all your data

6. Data security

• All connections encrypted via TLS (HTTPS)
• Passwords hashed with bcrypt
• Auth tokens hashed with SHA-256
• Database stored on a secured server with firewall restrictions

7. Your rights (UK GDPR)

Under UK GDPR, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — delete your account and all associated data (available in-app under Settings, or by contacting us)
• Data portability — receive your data in a structured format
• Objection — object to processing of your data
• Complaint — lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, contact [email protected].

8. Changes to this policy

We may update this policy. The effective date at the top will be updated accordingly.