Privacy Policy

Check-a-Train is a UK-based Delay Repay assistant web application available at checkatrain.com.

The public-facing brand is Checkatrain. The Service is currently operated by Dan John.

Check-a-Train is independent. It is not affiliated with National Rail, the Rail Delivery Group, or any train operator.

Check-a-Train helps UK rail passengers identify whether a train service was delayed or cancelled and navigate to the relevant operator's Delay Repay claim process.

It is not a journey planner and does not submit claims on your behalf. Final Delay Repay eligibility and compensation decisions are made by the relevant train operator.

Account holders may also use features such as saved journeys, morning alerts, journey reports, claim-history records, premium account preferences, and Commuter subscription billing where available.

Depending on how you use the Service, you may provide:

• journey searches, including stations, dates, approximate times, search windows, and related query parameters;
• account details such as your email address and password handled through Supabase Auth;
• age or guardian confirmation at sign-up, without date-of-birth collection;
• saved journeys, alert preferences, journey reports, premium preferences, and claim-history entries;
• support and contact messages, including optional journey or account context;
• account deletion requests, including request status and any optional note you provide;
• the Commuter plan you select before being sent to Stripe Checkout.

We also collect operational data automatically, including request metadata, search parameters, response times, errors, session data, rate-limit signals, Turnstile challenge data when enabled, and browser storage data for recent searches and status-banner dismissal.

Check-a-Train does not ask for your date of birth, National Insurance number, postal address, ticket numbers, full payment card details, or bank details in its own forms. Stripe collects and processes payment details directly.

We rely on the following bases under UK GDPR Article 6:

• Contract. Account features, Commuter subscriptions, saved journeys, journey reports, premium preferences, claim history, and essential account emails.
• Consent. Morning delay and cancellation alerts that you opt in to per journey and can disable.
• Legitimate interests. Anonymous journey search, service operation, security, rate limiting, Turnstile checks, debugging, error tracking, support handling, and abuse prevention.
• Legal obligation. Records needed for legal, tax, accounting, consumer-rights, billing, or data-protection obligations where applicable.

We use this data to:

• identify services, show delay and cancellation information, and link to operator claim pages;
• maintain your account, saved journeys, alert preferences, premium preferences, journey reports, and claim-history records;
• start and manage Commuter subscriptions through Stripe Checkout, Stripe webhooks, and Stripe Customer Portal;
• send essential account emails and morning delay alerts where enabled;
• respond to support, privacy, legal, and accessibility requests;
• run, debug, monitor, and protect the Service against abuse, provider failures, and infrastructure failures.

We do not sell your personal data or use it for profiling that produces legal or similarly significant effects.

Check-a-Train uses third-party rail data to identify services and derive delay evidence. This includes live rail data and historical or enrichment sources where configured.

When you follow a claim link, you leave Check-a-Train and submit any claim directly with the relevant train operator. The operator's own privacy practices, terms, claim rules, and decisions apply from that point.

Check-a-Train may record a claim-history entry for signed-in Commuter users when a claim handoff is started, but it does not submit the claim to the operator for you.

See also the Rail Data and Delay Repay Disclaimer for more detail on rail-data limitations, historical coverage, and claim handoff.

The Service uses strictly necessary cookies for account sessions and security. Supabase Auth session cookies are used to keep you signed in and refresh your session.

The Service also uses browser localStorage for:

• recent searches on the home/search page; and
• status-banner dismissal state.

Cloudflare Turnstile may load challenge technology on sign-in and contact surfaces when enabled. We do not currently use marketing cookies, advertising trackers, Google Analytics, Meta Pixel, heatmapping tools, or session replay tools. See the Cookies and Browser Storage page for the current cookie and storage position.

We share data with third-party providers only where necessary to operate the Service:

• Supabase - authentication, account data, database storage, and session cookies.
• Vercel - hosting, serverless functions, deployment, and runtime logs.
• Resend - transactional email delivery for account, support, contact, and alert emails.
• Stripe - Checkout, subscription billing, Customer Portal, invoices, card handling, and webhooks.
• Rail Data Marketplace / Darwin LDBWS - live rail service data.
• HSP / Darwin historical performance endpoints - historical enrichment and service-detail evidence where configured.
• Sentry - error tracking and performance debugging when NEXT_PUBLIC_SENTRY_DSN is configured in production.
• Cloudflare Turnstile - abuse-prevention challenge on sign-in and contact surfaces when enabled.
• Train operators - claim handoff after you leave Check-a-Train.
• Product OS signal endpoint - optional product signal emission when PRODUCT_OS_SIGNAL_ENDPOINT is configured.

Each provider processes data under its own terms and privacy policy.

Operational logs may include request metadata, route names, provider errors, status codes, timing information, IP-derived rate-limit keys, and error messages. Logs are used to run, secure, debug, and support the Service.

We try to avoid deliberately logging personal data, secrets, raw message bodies, cookies, or tokens. However, logs and error-tracking context may accidentally include user-provided context, search parameters, account identifiers, or provider error details. We do not describe these logs as anonymous.

Sentry is configured in the repository and is active only when production configuration includes a Sentry DSN.

Some providers operate infrastructure outside the UK or European Economic Area. Where personal data is transferred internationally, transfer safeguards apply. These include adequacy decisions, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to EU Standard Contractual Clauses, depending on the provider. Major providers including Stripe, Vercel, Resend, Sentry, and Supabase operate under standard data-processing agreements that include applicable transfer mechanisms for UK data subjects.

We take reasonable technical and organisational measures to protect personal data, including HTTPS, Supabase Auth session handling, row-level security on user-owned tables, server-side entitlement checks, rate limiting, optional Turnstile checks, Stripe webhook signature verification, restricted service-role access, operational monitoring, and audit logging for privileged operations.

No system is completely secure. We will notify you in accordance with applicable law if a personal data breach affecting your data occurs.

We retain personal data only as long as necessary for the purpose it was collected, unless a longer period is required or permitted by law.

• Account data, profile settings, saved journeys, alert preferences, premium preferences, and claim history are retained while your account is active, subject to legally required or permitted retention.
• Stripe billing records and stored billing identifiers are retained as needed to manage subscriptions, resolve billing disputes, support legal/tax/accounting obligations, and maintain auditability of paid access.
• Alert logs are retained for operational, troubleshooting, and support purposes for up to 90 days.
• Operational, security, and error logs are retained for the period needed to run and protect the Service, typically up to 70 days.
• Support and contact messages are retained for the period needed to handle the request and for a reasonable follow-up period.
• Account deletion requests are retained for the period needed to process the request and keep an appropriate record of the response, subject to legal and operational limits.
• Product OS signals are retained according to the configured recipient's retention settings if that endpoint is enabled.

Check-a-Train is not intended for direct use by children under 16. Account holders must confirm that they are 16 or older, or that a parent or guardian is creating and managing the account on behalf of a child passenger. We do not collect date of birth for this confirmation.

Delay Repay claims may relate to child tickets. A parent or guardian may use the Service to check a journey and claim on behalf of a child. If you believe a child under 16 has provided personal data to us without appropriate consent, please contact us through the contact page.

See also Terms and Conditions for the associated account sign-up requirements.

You have rights over the personal data we hold about you under UK data protection law. These may include:

• Access. You can ask for a summary of the personal data we hold about you.
• Correction. You can ask us to correct inaccurate or incomplete personal data.
• Deletion. You can ask us to delete personal data we hold about you, subject to security, legal, billing, dispute, fraud-prevention, or operational limits.
• Restriction. You can ask us to limit how we use your personal data in certain circumstances.
• Objection. You can object to processing based on our legitimate interests.
• Withdrawing consent. Where we rely on consent, such as for delay alerts, you can withdraw it at any time.
• Data portability. Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of the data you provided.

To exercise any of these rights, use the contact page and select Privacy request as the category. For account deletion specifically, signed-in users can also submit a deletion request from account settings. Please include your account email address and a description of your request where relevant.

If you are not satisfied with our response, you may raise a concern with the UK Information Commissioner's Office at ico.org.uk.

You can use the core train-checking flow without creating an account.

If you have an account, you can manage saved journeys and alert preferences from your account screens. You can disable or re-enable delay alerts from your alerts page, or use the unsubscribe link in any alert email without signing in.

You can manage Commuter billing through the Stripe Customer Portal where available, and you can request account deletion from account settings or by contacting us through the contact page.

Clearing local browser storage may remove recent-search history and status-banner dismissal state on that device.

We may update this Privacy Policy when the Service changes or when legal or regulatory requirements change. Significant changes will be communicated where practicable, for example through the account area or on the website.

For privacy questions, data requests, or concerns, use the contact page and select Privacy request as the category.

Please include your account email address and describe what you are asking for. We will aim to acknowledge promptly and respond within the timeframe required by applicable law.