Privacy Policy – RailMind

Purpose

Railmind Ltd (“we”, “us”, or “our”) respects your privacy and is committed to protecting your personal information. This policy explains how we collect, use, store and share your information when you visit our website, contact us, or work with us.

This privacy notice applies to individuals who visit our website, contact us, use our services, or otherwise interact with Railmind Ltd, including clients, suppliers and job applicants

Contents of this Policy

Who we are
The information we collect
How we collect information
How we use your information
Our lawful bases for the collection and use of your data
Marketing communications
Cookies and analytics
Who we share your information with
Sharing information outside the UK
How long we keep your personal information
How we protect your information
Your rights
How to complain
Links to other websites
Changes to this privacy policy

Who we are

Railmind Ltd is a UK company providing communications, digital and cyber support services to the rail industry.

Registered address:
43 Albany Mews, Kingston upon Thames, KT2 5SL, United Kingdom

Email: info@railmind.uk
Website: www.railmind.uk

Railmind is the data controller. This means that we are responsible for deciding how we hold and use personal information.

We are listed on the Information Commissioner’s Office (“ICO”) register of fee payers. Our registration number is ZC022380.

The information we collect

We collect and use personal data to run our business, respond to enquiries and deliver services. This may include:

Your name, email address and phone number
Company name and job title
Information you send us through forms, emails or calls
IP addresses and device details (through cookies or analytics tools)
Transaction data (including details about payments to and from you and details of products and services you have purchased)
Information relating to compliments or complaints
CVs or application details if you apply for a job
Client and project information connected to the services we provide

We do not collect any special category (sensitive) data such as health or biometric information.

How we collect information

We collect information in several ways, including:

Directly from you
When you purchase or subscribe to our services
When you fill in a form on our website or contact us via phone, email or another method
When you opt in to receive marketing messages
When you email, call or meet with us
Through cookies and analytics tools when you use our website
Through job applications and recruitment processes
Publicly available sources

How we use your information

We use your personal information to:

Respond to enquiries and requests
Manage client relationships and deliver services
Fulfil contracts and legal obligations
Send updates, newsletters and marketing (where allowed)
Keep our systems and data secure
Manage recruitment and employment

We only use your information where we have a lawful basis under UK data protection law. This includes consent, legitimate interest, and contractual necessity.

Our lawful bases for the collection and use of your data

Our lawful bases for using your information

Under UK data protection law, we must have a lawful basis for each way we collect and use personal information. The lawful bases we rely on are consent, contract, legitimate interests, and legal obligation.

The table below summarises how we use your information and which lawful basis applies:

Purpose of processing	Lawful basis	Examples of what this involves
Providing and managing our services	Contract / Legitimate interests	Using client and contact details to manage projects, deliver services, provide updates, issue invoices, and maintain relationships.
Responding to enquiries	Legitimate interests	Using contact form or email details to reply to questions or requests for information.
Marketing and communications	Consent / Legitimate interests	Sending newsletters, updates, or information that may be of professional interest. You can opt out at any time.
Managing client accounts and records	Contract / Legal obligation / Legitimate interests	Maintaining accurate records for account management, invoicing, and tax or legal requirements.
Recruitment and employment	Legitimate interests / Legal obligation	Collecting CVs, assessing candidates, managing employment records, and verifying right to work in the UK.
Website analytics and cookies	Consent	Using non-essential cookies (e.g. Google Analytics) to understand how visitors use our site and improve performance.
Security and IT management	Legitimate interests / Legal obligation	Protecting our systems, preventing unauthorised access, and monitoring for data security.
Legal and regulatory compliance	Legal obligation	Keeping records and information as required by law (for example, tax, accounting or regulatory reporting, or responding to lawful requests)

When we rely on legitimate interests, we carefully balance our business needs with your rights and freedoms, and only use information in ways people would reasonably expect in the context of a professional relationship.

You have the right to object to processing based on legitimate interests or to withdraw consent where that is our lawful basis.

For more about lawful bases, visit the ICO’s guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis-checker/

Marketing Communications

We may send you updates or newsletters about our work and services.
You can unsubscribe at any time by clicking the link in our emails or by contacting us at info@railmind.uk.

We rely on both consent and legitimate interest to send marketing communications, depending on the situation.

We use limited business contact details to share relevant information, such as company updates, press releases, service developments, or industry insights that may be of professional interest to clients, suppliers, and contacts within the rail sector.

Our legitimate interest is to maintain awareness of our work and to keep our professional network informed of developments that support collaboration, safety, and innovation within the rail industry. These communications are intended for business purposes and sent only to individuals who have engaged with Railmind or are likely to have a professional interest in our activities. The personal data involved is minimal (usually name, job title and business email) and used in a proportionate and respectful way.

We ensure all communications are relevant, infrequent, and provide a clear and easy way to opt out or update preferences at any time. This approach helps Railmind maintain professional relationships, share useful insights, and support wider industry engagement, while keeping the impact on individuals’ privacy very low.

Cookies and analytics

Our website uses cookies and Google Analytics to help us understand general website traffic and usage patterns. The information collected is aggregated and does not identify individual visitors. Google Analytics processes anonymised usage data, such as page visits and time on site, to help us improve performance.

Non-essential cookies (including analytics) are used only with your consent, which you can manage via our cookie banner or browser settings.

You can manage or disable cookies through your browser settings. For more information about cookies, visit www.allaboutcookies.org.

Please refer to our cookie policy for full details.

Who we share your information with

We may ask third parties to carry out certain business functions for us, such as the administration of our website, email, cloud hosting, form services, and secure information storage providers. These third parties will process your personal data on our behalf and this means they are our data processors under data protection laws. We will disclose your personal data to these parties so that they can perform those functions. Before we disclose your personal data to these third parties, we will seek to ensure that they have appropriate security standards in place to protect your personal data. Examples of these third party service providers include our outsourced IT systems software and maintenance, back up, and server hosting providers.

These organisations act as data processors on our behalf and are bound by contracts to keep your information secure and comply with data protection law.

Sharing information outside the UK

Our main IT and cloud services are provided through Microsoft 365, which operates within the EU Data Boundary. This means that most customer and personal data for UK and EU users is stored and processed within the UK and European Economic Area (EEA), except in very limited cases (for example, global security monitoring or troubleshooting).

All Microsoft 365 services comply with the UK GDPR and EU GDPR, and we have contractual and technical safeguards in place to protect all personal data handled through these systems.

We also use Google Analytics to understand website traffic. This involves anonymised or pseudonymised usage data and does not provide us with personally identifiable information.

We do not routinely transfer personal data outside the UK or EEA. Where limited transfers are necessary, we ensure they are protected by appropriate safeguards recognised under UK data protection law.

Where data is transferred to the United States, this is done under the UK–US Data Bridge or standard contractual clauses approved by the UK Government.

How long we keep your personal information

We need to keep your personal information for as long as necessary to fulfil the purposes for which it was collected.

Client and project information:	Normally kept for up to six years after the end of a contract or working relationship, to meet business, legal and tax requirements.
Enquiry information:	Kept for up to 12 months if no further relationship is established, in case of follow-up discussions.
Marketing contact details:	Kept until a person chooses to unsubscribe or opt out.
Recruitment information:	Kept for up to six months after the recruitment process ends, unless the candidate agrees to a longer retention period.
Employee and contractor records:	Retained in line with UK employment and tax law (usually up to six years after employment ends).

When we no longer need personal information, it is securely deleted or anonymised.

For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

How we protect your information

We use secure systems and controls to protect your data, including Microsoft 365 cloud storage and password-protected devices. Only authorised team members have access to personal data, and all staff are trained in data protection and information security.

Your rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
Your right to erasure – You have the right to ask us to delete your personal information. Read more about the right to erasure.
Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
Your right to object to processing – You have the right to object to the processing of your personal data. Read more about the right to object to processing.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

We may ask you for proof of identity before responding to your request, to protect your information To make a data protection rights request, please contact us using the contact details at the top of this privacy notice

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Links to other websites

We may link from our websites directly to other sites. For instance there is a link to the ICO’s own website within this Privacy Policy. This Privacy Policy does not cover other websites and organisations we may link out to from our website. We strongly encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website.

This Privacy Policy was last updated on 07 November 2025.

If you have questions about this privacy policy or how we handle your data, please contact us at info@railmind.uk.