Legal
Privacy Policy
Draft — last edited alongside the site build
ApexRail Ltd ("ApexRail", "we", "us") respects your privacy. This page explains what personal data we collect through apexrail.co.uk and the ApexRail Connect app, why we collect it, and how it's protected.
Who we are
ApexRail Ltd is a UK-based rail workforce and recruitment company. [Add registered company number and registered office address here.] For any privacy question, contact us via the contact page.
What we collect
- Account details — username, hashed password, and (for ApexRail Connect users) first and last name.
- Attendance records — check-in and check-out timestamps and the work location you enter, used to maintain a safety and attendance record.
- Contact and careers form submissions — name, email, phone, company and message content you choose to submit.
- Technical data — standard web server logs and a session cookie used to keep you signed in (see our Cookie Policy).
We do not collect payment card details, and we do not use third-party advertising trackers.
Why we collect it
- To operate your account and the check-in/check-out safety record (contract necessity / legitimate interest in worksite safety).
- To respond to enquiries submitted through the contact and careers forms.
- To keep the service secure — rate-limiting, audit logging of sensitive account actions, and two-factor authentication where enabled.
How long we keep it
Attendance records are kept as a permanent safety and compliance archive unless you ask us to review this. Account data is kept while your account is active. Contact form messages are retained for as long as reasonably needed to handle the enquiry. [Confirm your organisation's actual retention periods here.]
Who we share it with
We do not sell personal data. Data is stored on our own server infrastructure. [List any processors here — e.g. your hosting provider, if applicable.]
Your rights
Under UK GDPR you can ask to access, correct, delete, or export the personal data we hold about you, and you can object to certain processing. To exercise any of these rights, contact us via the contact page. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
Security
Passwords are hashed with bcrypt and never stored in plain text. Sessions use httpOnly, secure cookies. Optional two-factor authentication is available for account holders. Sensitive admin actions are recorded in an audit log.
Changes to this policy
We may update this policy as the service changes. Material changes will be reflected on this page with an updated date.