Privacy Policy
Last updated: April 2026. This policy applies to all users of RailDB (raildatabase.uk).
RailDB is a community photography platform. For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), we are the data controller for information collected through this site.
If you have any questions about how we handle your data, you can contact us via the contact page.
We only collect information that is necessary to operate the service:
| Data | Why we collect it | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Username | To identify you on the platform | Contract performance (Art. 6(1)(b)) |
| Email address (optional) | Account recovery and linking Google accounts. If you separately choose to enable email notifications in Settings, your email address is also used to send you notification emails (new comments, messages, or report outcomes). You can change or remove your email address and turn off notifications at any time in Settings. | Contract performance (Art. 6(1)(b)) for account recovery; Consent (Art. 6(1)(a)) for notification emails - you must explicitly opt in and can withdraw consent at any time |
| Password (bcrypt hashed) | To authenticate you securely. We never store your password in plain text. | Contract performance (Art. 6(1)(b)) |
| Google ID & profile picture | Only if you choose to sign in with Google | Contract performance (Art. 6(1)(b)) |
| Photos you upload | To display them on the platform under your chosen licence | Contract performance (Art. 6(1)(b)) |
| Upload activity (timestamps, reaction counts) | To operate the gallery and show statistics | Legitimate interests (Art. 6(1)(f)) to operate and improve the service |
| Reports you submit | To keep the community safe | Legitimate interests (Art. 6(1)(f)) to operate and improve the service |
| Session data | To keep you signed in during your visit | Legitimate interests (Art. 6(1)(f)) to operate and improve the service |
| Bio (optional) | Displayed publicly on your profile if provided | Consent (Art. 6(1)(a)) - you choose to provide this |
| Copyright name (optional) | Embedded as a watermark credit on photos you upload. Displayed in place of your username if set. | Consent (Art. 6(1)(a)) - you choose to provide this |
| Contact messages | Messages submitted via the contact form or sent to other users are stored so we can respond and provide the messaging service. Contact form messages are accessible to site administrators and are retained until manually deleted. User-to-user messages are retained until an account is deleted. | Legitimate interests (Art. 6(1)(f)) to operate and improve the service |
We use a small number of cookies, all of which are strictly necessary to provide the service:
| Cookie | Purpose | Expires |
|---|---|---|
connect.sid | Maintains your login session | 7 days or on sign-out |
notice_* | Records that you have dismissed the site notice, so it is not shown again unless the notice changes | 1 year |
Because these cookies are strictly necessary to provide the service you have requested, they do not require your consent under the Privacy and Electronic Communications Regulations 2003 (PECR). We are however required to inform you of their existence, which we do via the notice shown at the bottom of every page.
We do not use advertising, analytics, or any third-party tracking cookies. No cookie consent pop-up is required because we use no non-essential cookies.
- Your account data and uploaded photos are kept for as long as your account is registered.
- Session data is automatically deleted after 7 days of inactivity and is only used to retain your logged in state.
- If your account is suspended following a moderation decision, all data and content associated with your account are deleted automatically after 30 days.
- If you provide an email address for notifications, it is stored for as long as your account exists or until you remove it in Settings. Removing your email address or disabling all notification toggles stops further emails immediately.
- You can request deletion of your account at any time by contacting us (see Your Rights below).
We do not sell your personal data. We only share data where necessary to provide our service or where required by law.
If you sign in with Google, your authentication is handled by Google LLC under their own privacy policy. We receive only your Google user ID, display name, email address, and profile picture.
We use Cloudflare as a content delivery and security provider. Cloudflare may process technical data such as IP addresses and may cache content to improve performance. We also use Cloudflare Web Analytics, a privacy-focused analytics tool that does not use cookies, does not track individual users across sites, and does not share data with advertisers. It collects aggregated, non-identifiable information (such as page views and referrers) to help us understand how the site is used. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.
If you have opted in to email notifications, your email address is passed to a third-party email delivery service solely for the purpose of sending those notifications. You can stop all notification emails at any time by removing your email address or disabling notification toggles in Settings.
Account data and photos are stored on infrastructure we control.
We may disclose personal data if required to comply with legal obligations or to enforce our terms.
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the right to:
- Be informed about how your personal data is collected and used
- Access the personal data we hold about you (Subject Access Request)
- Rectify inaccurate or incomplete data
- Erase your data (right to be forgotten), where applicable under data protection law
- Restrict processing of your data in certain circumstances
- Data portability: receive your data in a structured, machine-readable format
- Object to processing based on legitimate interests
- Not be subject to solely automated decisions that significantly affect you
To exercise any of these rights, please use the contact mechanisms provided on the site. We will respond within one calendar month as required by UK GDPR.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
We primarily store and process data on servers located in the United Kingdom.
Some third-party services we use, such as Google (for authentication) and Cloudflare (for content delivery and security), may process personal data outside the UK.
These providers are responsible for handling data in accordance with their own privacy policies.
We may update this policy from time to time to reflect changes in law or our practices. Any significant changes will be noted on this page with an updated date.