Privacy policy

This is a statement on the processing of personal data pursuant to the EU's General Data Protection Regulation (2016/679) (GDPR).

This privacy policy ("Policy") describes how Railfinder ("Controller") collects and processes the data subject's personal data when the data subject is registering for and using Railfinder services.

Railfinder AB
Business ID: 559405-7720

For all questions related to processing personal data and situations related to exercising your rights, data subjects should contact the controller in writing by contacting us through Contact us.

The legal basis for the processing of personal data is the controller’s legitimate interest based on the customer relationship between the data subject and the controller.

The purposes of processing personal data include facilitating bookings of transport services and opt-in marketing communications.

The controller only collects personal data concerning the data subjects that are essential and relevant for the purposes explained in this privacy statement.

The following data concerning the data subjects are processed:

• name
• email address
• phone number
• date of birth
• payment details

To fulfill the purposes of this Policy, personal data, to the extent required to provide our services, is shared with the following parties. These parties are the Processors.

• Transport service providers (transport operators and distributors thereof)
• Technical services to support our online services (such as sending emails, collecting payments, etc)

The Processors process the personal data only according to instructions specified by the Controller and are obliged to take appropriate technical and organizational security measures to protect the data. The Processors shall further refrain from processing the personal data for any purpose other than as specified by the Controller.

Other than the above, personal data will not be disclosed to third parties unless the law imposes an obligation to do so. Data may, therefore, be disclosed in exceptional cases, such as to the authorities when so required by law.

As a rule, personal data will not be transferred outside of the EU and the European Economic Area. However, if this is done for a special reason, the transfer will be implemented in accordance with the European Commission’s decision on the adequacy of privacy protection.

Personal data that is connected to an active account will be stored as long as the account is active.

Personal data that is not connected to an active account or to an account that has been deactived will be processed for as long as it relates to a service that is being delivered and 2 years thereafter. At the end of this period, the controller will delete or anonymize the data within 6 months in accordance with the deletion processes it follows.

The controller may be obliged to process some personal data belonging to the filing system for longer than stated above to comply with the legislation or authority requirements.

The data subject has the right to receive confirmation regarding whether personal data concerning them is being processed and, if it is, the right to receive a copy of their personal data.

The data subject has the right to request that inaccurate and erroneous personal data concerning them be rectified. The data subject also has the right to supplement incomplete personal data by submitting the required additional information.

The data subject has the right to request the erasure of their personal data. This applies, for example, when the personal data is no longer needed for the purpose for which it was collected, when the personal data has been processed unlawfully, or if the data subject withdraws the consent on which the processing is based.

The data subject has the right to request the restriction of processing of their personal data if, for example, the data subject objects to the correctness of the data or believes that the processing is against the law.

The data subject has a right to object to processing based on a Legitimate interest. If the personal data is processed for direct marketing purposes, the data subject always has the right to object to the processing of their personal data for such marketing, including profiling related to direct marketing.

The data subject has the right to obtain the personal data relating to them and the personal data that the data subject themself has submitted. The personal data must be disclosed in a structured, commonly used, and machine-readable format. The data subject also has the right to transfer this data to another controller.

The Swedish Authority for Privacy Protection is the national supervisory authority for personal data matters. The data subject has the right to bring your case to the supervisory authority if you consider that the processing of personal data concerning you is in violation of applicable law.

The controller is continuously developing its activities and may be required to amend and update its privacy policies when necessary. The amendments may also be based on changes in the legislation concerning data protection.

If the amendments include new purposes for the processing of personal data or otherwise introduce substantial changes, the controller will provide advance notification of them and, if necessary, request consent.