Privacy Policy
Last updated: 19 May 2026
1. Who we are
This Privacy Policy describes how Railex ("Railex", "we", "us") collects, uses, shares and protects personal data of visitors and registered users ("you", "User") of the website railex.eu and related services (the "Service").
Railex is operated by Railex Technology OÜ, with registered office at Järvevana tee 9, 11314 Tallinn, Estonia, Estonian commercial registry code 17515174 ("Data Controller"). For any privacy enquiry write to info@railex.eu.
This Policy is issued pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, "IKS").
2. Personal data we collect
We collect the following categories of data:
- Account data — email address, hashed password, name, handle, profile photo, biographical text, company affiliation, role, country, declared expertise, verifiable experience entries (if you choose to provide them).
- Authentication data — session tokens, sign-in timestamps, IP address used for sign-in, and (where you use Google sign-in) the identifier and email shared by Google.
- Usage data — aggregated and anonymised page views, referrer domain, country (derived from IP at request time and immediately discarded), browser family, screen size and Core Web Vitals samples. We collect this via Plausible (cookieless analytics, no fingerprinting) and via a self-hosted Web Vitals endpoint.
- Content you provide — newsletter subscription email, public-profile content you submit, alerts you configure, tender bookmarks, feedback or correction notices you send us.
- Support data — content of any email or message you send to info@railex.eu and metadata associated with it.
We do not knowingly collect special categories of data (Art. 9 GDPR), nor data of minors under 16. We do not perform automated decision-making producing legal effects on you (Art. 22 GDPR).
3. Purposes and legal bases
| Purpose | Legal basis (Art. 6 GDPR) | Retention |
|---|---|---|
| Account creation and authentication | (b) performance of contract | Until account deletion |
| Delivery of the Service | (b) performance of contract | Duration of account |
| Newsletter | (a) consent | Until you unsubscribe |
| Aggregated analytics | (f) legitimate interest | Up to 24 months, aggregated |
| Security, abuse prevention, audit logs | (f) legitimate interest | Up to 12 months |
| Compliance with legal obligations | (c) legal obligation | As required by law |
| Defence of legal claims | (f) legitimate interest | Up to limitation period |
Where processing is based on consent, you may withdraw consent at any time with effect for the future (Art. 7(3) GDPR).
4. How we share data — processors
We do not sell or rent personal data. We share it only with service providers acting as data processors under Art. 28 GDPR, bound by written processing agreements:
- Supabase Inc. (USA / EU region) — database, authentication and edge function hosting. Data stored in the EU region (Frankfurt).
- Vercel Inc. (USA) — frontend hosting and serverless request routing. Static assets served via global CDN.
- Plausible Insights OÜ (Estonia / EU) — privacy-first, cookieless web analytics. No personal data, no fingerprinting, no cross-site tracking.
- Microsoft Corporation (USA) — Microsoft Clarity for anonymised heatmaps and session recordings. Loaded only after the User grants the optional analytics cookie consent. Clarity does not collect personal data fields by default; form inputs and password fields are masked client-side. Microsoft retains Clarity data for up to 13 months. Transfer to the US under Standard Contractual Clauses; Microsoft is additionally certified under the EU-U.S. Data Privacy Framework.
- Railex first-party event log — anonymous click and funnel events stored in Railex's own Supabase database (EU region) for product-improvement analytics. The User's IP is replaced with a daily-rotating SHA-256 hash before being stored, and rows are pruned after 90 days. Loaded only after the same optional analytics consent.
- Anthropic PBC (USA) — large language model API used for editorial content generation and the RailBot chat assistant. The editorial pipeline sends only article drafts and public-source text. The RailBot assistant, however, transmits the User's free-text questions to Anthropic for inference — those questions may contain personal data the User volunteers (e.g. their employer, contract details, location). Anthropic does not use API inputs to train its models and retains request logs for up to 30 days for abuse-detection purposes (per Anthropic's published data policy). Transfer to the United States takes place under the Standard Contractual Clauses (Module 2 — Controller to Processor) attached to Anthropic's Commercial Terms.
- Google LLC (USA) — image generation API (Imagen) used by the editorial pipeline to produce illustrative imagery for synthesised articles. The pipeline sends only short text prompts describing the article topic; no personal data is transmitted. Transfer to the United States under the Standard Contractual Clauses (Module 2). This is separate from the optional Google sign-in described below.
- Perplexity AI, Inc. (USA) — Sonar Pro API used by the editorial pipeline for fact-checking and source corroboration before a draft is published. The pipeline sends only short factual queries derived from public-source text; no personal data is transmitted. Transfer to the United States under the Standard Contractual Clauses (Module 2).
- Resend Inc. (USA) — transactional and newsletter email delivery (signup confirmations, weekly newsletter, tender alerts, password-reset emails). Resend processes the recipient email address and message metadata. Transfer to the US under Standard Contractual Clauses.
- Stripe Payments Europe Ltd (Ireland) and Stripe, Inc. (USA) — payment processing for paid subscriptions (Essential, Pro). Stripe acts as a data processor for the checkout, recurring billing, customer portal and invoice flows. Data transmitted includes the User's name, billing address, email, IP address, tax ID (if voluntarily provided), payment card details (handled exclusively by Stripe — Railex never receives or stores card numbers), subscription history and invoices. Stripe's own retention rules apply (typically up to seven years for accounting and anti-fraud purposes per its Privacy Policy at stripe.com/privacy). Transfer to the US under Standard Contractual Clauses and Stripe's binding corporate rules.
- OpenAI L.L.C. (USA) — used selectively for embeddings and image generation in editorial workflows. No User personal data is sent.
- CartoDB Inc. (basemap tiles) — serves map tiles on tender and incident map pages. IP addresses processed only as necessary to serve tile requests.
- Google LLC — only if you choose to sign in via Google OAuth. Google's own Privacy Policy applies to that interaction.
- ipify.org — used to display your current IP in the security panel of your account. The IP is not stored by Railex.
Where a processor is located outside the European Economic Area, transfers are governed by the European Commission's Standard Contractual Clauses ("SCCs") of 4 June 2021 (Decision 2021/914/EU), supplemented by additional technical and organisational measures where appropriate.
5. Public profile content
If you create a public profile (/u/<handle>) and choose to publish biographical content, verified experience entries, company affiliations or contact details, that content is publicly accessible to anyone and indexable by search engines.
You control what to publish and may unpublish, edit or remove your profile from your dashboard at any time.
6. Cookies and similar technologies
We use only strictly necessary cookies and local storage. We do not use third-party advertising or marketing trackers. For details see our Cookie Policy.
7. Your rights
Under Articles 15-22 GDPR you have the right to:
- Obtain confirmation that we process your data and access a copy of it (Art. 15)
- Request rectification of inaccurate or incomplete data (Art. 16)
- Request erasure of your data ("right to be forgotten", Art. 17), within the limits set by Art. 17(3)
- Restrict processing in the circumstances listed in Art. 18
- Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time for processing based on consent (Art. 7(3))
- Lodge a complaint with a supervisory authority (Art. 77) — in Estonia, the Data Protection Inspectorate / Andmekaitse Inspektsioon (aki.ee). You may also lodge a complaint with the supervisory authority of your EU Member State of habitual residence
To exercise these rights write to info@railex.eu. We respond within 30 days (extendable by up to 60 days for complex requests, Art. 12(3) GDPR). We may ask you to confirm your identity.
You can also export and delete your account data directly from /dashboard/security: the export endpoint produces a JSON file containing your account data; the delete endpoint permanently removes your account and associated personal data, subject to retention periods required by law.
8. Data security
We implement appropriate technical and organisational measures to protect personal data, including: TLS in transit (HSTS, TLS 1.2+), Postgres Row-Level Security on user-scoped tables, JWT-based authentication on admin edge functions, audit logging of administrative actions, principle of least privilege on service credentials, and periodic security review of database advisors.
No method of transmission or storage is 100% secure. In the event of a personal data breach affecting your rights and freedoms we will notify you and the competent supervisory authority within the timeframes set by Articles 33-34 GDPR.
9. Retention
Retention periods are indicated in the table at section 3. After the applicable period, personal data is deleted or irreversibly anonymised, except where longer retention is required by law (e.g. tax and accounting records — 7 years under the Estonian Accounting Act, Raamatupidamise seadus) or necessary for the establishment, exercise or defence of legal claims.
10. Children
The Service is directed to professionals and is not intended for users under the age of 16. We do not knowingly process personal data of minors. If you become aware that a minor has provided us with personal data, please contact us so that we may delete it.
11. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced on the Service and, where you have an account, by email at least 30 days before they take effect. The "Last updated" date at the top reflects the version in force.
12. Contact
Data Controller: Railex Technology OÜ (Estonian registry code 17515174)
Email: info@railex.eu
Postal address: Järvevana tee 9, 11314 Tallinn, Estonia
For other policies, see our Terms of Service, Cookie Policy, Editorial Policy, Copyright & Takedown and Companies Data Policy.