Railway Careers UK
Legal

Privacy Policy

Last updated: 29 April 2026

datacontroller@railwaycareers.co.uk

1. Who we are

Railway Careers UK ("we", "us", "our") operates the website railwaycareers.co.uk. We are an independent UK rail recruitment platform.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the Data Controller for personal data collected through this website is Railway Careers UK. You can contact our Data Controller at datacontroller@railwaycareers.co.uk.

2. What personal data we collect

We only collect what we need to run the service. The categories of personal data we may process are:

  • Account data (employers and admins): name, email address, company name, password (hashed using bcrypt — we never store plain-text passwords).
  • Newsletter / job-alert data (job seekers): email address, optional first name, optional interests/operator preferences if you sign up for targeted alerts.
  • Vacancy data (employers): job title, description, location, salary, application URL and any other content you choose to publish on a vacancy listing.
  • Postcode data (job seekers using the Vacancy Map): the UK postcode you enter is sent to the postcodes.io API to obtain coordinates for distance calculation. We do not retain your postcode after the request completes.
  • Technical data: IP address, browser type, device type, referring URL, pages visited, timestamps, error logs. Used for security, abuse prevention and analytics.
  • Cookies and similar technologies: see section 7 below.

3. Our lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract — to operate your employer or admin account, post and manage vacancies.
  • Consent — to send the Monday Briefing newsletter and operator-specific job alerts. You can withdraw consent at any time via the one-click unsubscribe link in every email.
  • Legitimate interests — to operate the platform securely, prevent fraud, debug errors, generate aggregated analytics and improve the service.
  • Legal obligation — where we are required to retain or disclose data by UK law.

4. How we use your data

  • Provide and maintain the Railway Careers UK service.
  • Authenticate employer and admin accounts.
  • Send transactional emails (account verification, password reset, vacancy expiry reminders).
  • Send the Monday Briefing newsletter and operator-specific job alerts (consent only).
  • Calculate driving distances on the Vacancy Map (transient — postcode is not stored).
  • Detect and prevent fraud, abuse, scraping and security incidents.
  • Comply with legal obligations and respond to lawful requests from authorities.

5. Third-party services we share data with

We keep this list deliberately short. We do not sell your data to anyone, ever.

  • Resend (email delivery) — receives email address and message content for transactional emails and the newsletter. Resend is hosted in the EU. https://resend.com/privacy
  • Adzuna (jobs aggregation) — we *receive* public UK rail vacancy data from Adzuna. We do not send personal data to Adzuna.
  • postcodes.io (postcode geocoding) — receives the UK postcode you enter for the Vacancy Map. The postcode is not retained by us. https://postcodes.io/
  • OpenStreetMap / OSRM (map tiles and routing) — your IP address is visible to OpenStreetMap when map tiles load. https://wiki.osmfoundation.org/wiki/Privacy_Policy
  • PostHog (product analytics) — receives anonymised event data and a session ID. We do not pass email addresses or names to PostHog. https://posthog.com/privacy
  • MongoDB Atlas / hosting provider — our database and hosting infrastructure. Data is stored in the UK or EEA.

6. How long we keep your data

  • Account data: kept for as long as your account is active. We delete accounts on request within 30 days, except where we must retain limited records for legal compliance.
  • Vacancy data: retained while live, then archived for up to 24 months for reporting purposes before being permanently deleted.
  • Newsletter subscribers: kept until you unsubscribe. We delete inactive subscribers (no opens for 18+ months) automatically.
  • Technical logs: 90 days, then permanently deleted.
  • Postcode lookups: not retained — discarded after each Vacancy Map calculation.

7. Cookies and similar technologies

We use a small number of cookies and similar storage technologies. The cookie banner you see on first visit lets you accept all or essential-only.

  • Essential (always on) — session/auth cookies for employer & admin sign-in (cannot be disabled if you wish to use those features). LocalStorage is used to remember your theme preference (light/dark).
  • Analytics (optional) — PostHog uses cookies / localStorage to record anonymised pageviews and feature usage. Disabled if you choose 'Essential only' on the banner.
  • We do not use advertising cookies, third-party tracking pixels or social-media remarketing tags.

8. Your rights

Under UK GDPR you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct data that is inaccurate or incomplete.
  • Right to erasure ("right to be forgotten") — ask us to delete your data, subject to legal exceptions.
  • Right to restrict processing — ask us to pause processing in certain circumstances.
  • Right to data portability — request your data in a machine-readable format.
  • Right to object — object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent — at any time, for any consent-based processing (e.g. newsletter).
  • Right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.

To exercise any of these rights, email datacontroller@railwaycareers.co.uk. We will respond within one calendar month.

9. How we protect your data

  • All traffic to and from the site is encrypted via HTTPS (TLS 1.3).
  • Passwords are stored using bcrypt one-way hashing.
  • Database access is restricted to a small number of named individuals on least-privilege principles.
  • Sensitive endpoints are rate-limited and brute-force protected.
  • We log security events and review them regularly.

10. Children

Railway Careers UK is intended for adult job seekers aged 16 and above. We do not knowingly collect data from anyone under 16. If you believe a child has submitted personal data, please contact us and we will delete it.

11. International transfers

Personal data is processed in the UK or European Economic Area (EEA). Where any third party we use processes data outside the UK/EEA (e.g. PostHog), it is covered by appropriate safeguards including UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs).

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated via email to registered users where appropriate.

13. Contact us

For any questions about this Privacy Policy or how we handle your data, contact our Data Controller at datacontroller@railwaycareers.co.uk.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
← Back to Railway Careers UK