Sign in Register
Home Gallery Privacy Policy

Privacy Policy

Last updated: April 2026. This policy applies to all users of RailDB.

Who we are

RailDB is a community photography platform. For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), we are the data controller for information collected through this site.

If you have any questions about how we handle your data, you can contact us via the contact page.

What data we collect and why

We only collect information that is necessary to operate the service:

DataWhy we collect itLegal basis (UK GDPR Art. 6)
UsernameTo identify you on the platformContract performance (Art. 6(1)(b))
Email address (optional)Account recovery; linking Google accountsContract performance (Art. 6(1)(b))
Password (bcrypt hashed)To authenticate you securely. We never store your password in plain text.Contract performance (Art. 6(1)(b))
Google ID & profile pictureOnly if you choose to sign in with GoogleContract performance (Art. 6(1)(b))
Photos you uploadTo display them on the platform under your chosen licenceContract performance (Art. 6(1)(b))
Upload activity (timestamps, reaction counts)To operate the gallery and show statisticsLegitimate interests (Art. 6(1)(f)) to operate and improve the service
Reports you submitTo keep the community safeLegitimate interests (Art. 6(1)(f)) to operate and improve the service
Session dataTo keep you signed in during your visitLegitimate interests (Art. 6(1)(f)) to operate and improve the service
Bio (optional)Displayed publicly on your profile if providedConsent (Art. 6(1)(a)) - you choose to provide this
Copyright name (optional)Embedded as a watermark credit on photos you upload. Displayed in place of your username if set.Consent (Art. 6(1)(a)) - you choose to provide this
Contact messagesMessages submitted via the contact form or sent to other users are stored so we can respond and provide the messaging service. Contact form messages are accessible to site administrators and are retained until manually deleted. User-to-user messages are retained until the conversation is closed or an account is deleted.Legitimate interests (Art. 6(1)(f)) to operate and improve the service
Cookies

We use a single strictly necessary session cookie named connect.sid. It is set only when you visit the site and is used solely to maintain your login session. It expires after 7 days or when you sign out, whichever is sooner.

Because this cookie is strictly necessary to provide the service you have requested, it does not require your consent under the Privacy and Electronic Communications Regulations 2003 (PECR). We are however required to inform you of its existence, which we do via the notice shown at the bottom of every page.

We do not use advertising, analytics, or any third-party tracking cookies. No cookie consent pop-up is required because we use no non-essential cookies.

How long we keep your data
  • Your account data and uploaded photos are kept for as long as your account is registered.
  • Session data is automatically deleted after 7 days of inactivity and is only used to retain your logged in state.
  • If your account is suspended following a moderation decision, all data and content associated with your account are deleted automatically after 30 days.
  • You can request deletion of your account at any time by contacting us (see Your Rights below).
Who we share data with

We do not sell your personal data. We only share data where necessary to provide our service or where required by law.

If you sign in with Google, your authentication is handled by Google LLC under their own privacy policy. We receive only your Google user ID, display name, email address, and profile picture.

We use Cloudflare as a content delivery and security provider. Cloudflare may process technical data such as IP addresses and may cache content to improve performance.

Account data and photos are stored on infrastructure we control.

We may disclose personal data if required to comply with legal obligations or to enforce our terms.

Your rights under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the right to:

  • Be informed about how your personal data is collected and used
  • Access the personal data we hold about you (Subject Access Request)
  • Rectify inaccurate or incomplete data
  • Erase your data (right to be forgotten), where applicable under data protection law
  • Restrict processing of your data in certain circumstances
  • Data portability: receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interests
  • Not be subject to solely automated decisions that significantly affect you

To exercise any of these rights, please use the contact mechanisms provided on the site. We will respond within one calendar month as required by UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

International transfers

We primarily store and process data on servers located in the United Kingdom.

Some third-party services we use, such as Google (for authentication) and Cloudflare (for content delivery and security), may process personal data outside the UK.

These providers are responsible for handling data in accordance with their own privacy policies.

Changes to this policy

We may update this policy from time to time to reflect changes in law or our practices. Any significant changes will be noted on this page with an updated date.