Privacy Policy

Last updated: 7 May 2026

This page explains what information Clerkenwell Trains collects when you use this site, what we do with it, and what we don't do with it. We have written it in plain English. The legal frame is the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Clerkenwell Trains is operated by Jade Browser Limited, a company registered in England and Wales. Registered office: Central Court, 25 Southampton Buildings, Holborn, London, WC2A 1AL.

For privacy enquiries you can reach us at jadebrowsercontact@gmail.com.

2. Our lawful basis for processing your data

Under the UK GDPR (Article 6) we must have a lawful basis for processing personal data. We rely on two:

• Article 6(1)(b) - necessary to perform the service you asked for. When you submit a search, we have to send your query to the train operators' booking systems to fetch a fare. Without doing that, the service simply doesn't work.
• Article 6(1)(f) - our legitimate interests. Standard web-server access logs (IP, path, timestamp) are kept so we can debug failures, plan capacity, and investigate abuse. We have weighed this against your privacy interest and concluded the brief retention period (section 11) and the absence of any further processing make this proportionate.

We do not do automated decision-making or profiling on your data, and we do not rely on consent or marketing-based bases - there is nothing on the site to consent to and we don't market to you.

3. What we collect

Clerkenwell Trains is a journey-planning tool, not an account-based service. We collect the minimum needed to return a price, and nothing else.

When you submit a search, the following information leaves your browser:

• The two stations you're searching between.
• The date and time you want to travel.
• The number of adults and children, ticket class, and any railcard you select.
• Whether you asked for a return.

This is sent to our planner so we can fetch live fares from the train operators. We log the request line in our server logs (IP address + path + timestamp) for debugging and security purposes - exactly the same way every standard web server does - and these logs are typically rotated within 30 days.

4. What we collect for sign-in and payment (optional)

You can use the planner as a guest without giving us any contact details. Two flows do require a small amount of additional data:

• Sign-in (optional). If you sign in, we collect your email address to send you a magic-link sign-in. No password. The email is held in a signed session cookie (HS256 JWT) on your device for 30 days; we don't store a separate user profile. Sign-in unlocks the £1/month unlimited subscription; you don't need it for guest bookings.
• Service fee (when applicable). Bookings cost a flat £1 service fee, or £0 if you're an active £1/month subscriber. Payment is taken by Stripe Checkout - your card details go directly to Stripe and we never see them. We receive only a payment confirmation (session id, status, the £1 amount) and store it for refunds / dispute handling. Stripe's own privacy notice (stripe.com/privacy) applies to the card data they hold.
• Rail-fare payment is NOT taken by us. The rail fare itself is paid on the train operator's own site after we hand you off - we have no role in that transaction and no access to those details.

4a. What we don't collect

• No personal contact details beyond sign-in email. We don't ask for your name, postal address, phone, or date of birth.
• No advertising trackers. No Google Analytics, no Facebook Pixel, no third-party advertising cookies.
• No cross-site tracking. We don't try to follow you around the web.
• No card data. Stripe handles card processing; the card number never reaches our servers.

5. What we use your data for

The minimum data we collect (section 3) is used only for these purposes:

• To return your search result. Your O/D pair, date, time, passenger count, ticket class, and railcard are sent to the train operators' booking systems so we can fetch live fares and show them to you.
• To keep the service running. Server access logs (IP + path + timestamp) are used for debugging, capacity planning, and security incident response.
• To prevent abuse. If we detect automated scraping or denial-of-service traffic, we (or Cloudflare on our behalf) may block specific IP addresses.

We do not use your data for advertising, profiling, statistical research outside our own service, or any commercial purpose beyond returning the price you asked for.

6. How we protect your data

• Encryption in transit. All connections to clerkenwelltrains.co.uk are HTTPS/TLS 1.3, terminated at Cloudflare's edge. Connections from Cloudflare to our origin server are made over the AWS private network in eu-west-2.
• Origin hardening. Our origin servers run on AWS EC2 with security-group-restricted ingress (only Cloudflare's published IP ranges), Windows Firewall on the loadbalancer, and a single-purpose port for HTTP traffic.
• Limited persistent storage. Section 11 covers retention. We don't run a user database; there is no centralised "profile" to be stolen.
• No third-party scripts on the front-end. No advertising SDKs, no analytics SDKs, no tag managers - nothing on the page can exfiltrate user data to a third party.

7. Cookies and local storage

We use the minimum cookies necessary for the site to function. We do not use advertising or analytics cookies.

• Functional cookies set by Cloudflare - Cloudflare provides our edge network, SSL, and bot-protection. It uses small functional cookies (typically __cf_bm) so its security layer can recognise legitimate visits. These are set and read only by Cloudflare and are described in their cookie policy.
• Browser sessionStorage - Your most-recent journey-planner result is cached locally in your browser for up to 30 minutes so reloads and back-navigation are instant. This data lives only in your own browser, never reaches our server, and is wiped when you close the tab.

8. Where the fare data comes from

Live fares are fetched on demand from the same publicly displayed booking systems used by the train operators (Avanti West Coast, LNER, GWR, the OTRL retailer family, etc.). Your search reaches them as if you were searching on their own site, but anonymised - they see the search query but not who you are.

9. Who we share data with

The only third parties involved in serving you a page are:

• Cloudflare, Inc. - provides our edge network, TLS termination, and DDoS / bot protection. Routes your request between your browser and our origin server.
• Amazon Web Services (AWS), eu-west-2 - hosts our origin server in London.
• Train operator booking systems - when you click "Continue" to book a ticket we hand you off to the operator's own site (e.g. Trainline, Avanti, LNER). At that point their privacy policy applies, not ours.

We do not sell, rent, or otherwise commercialise your data.

10. International transfers

Our origin servers are in AWS's eu-west-2 (London) region. Cloudflare may route your traffic through edge nodes outside the UK depending on where you connect from. Any cross-border transfer is covered by Cloudflare's UK Addendum to the Standard Contractual Clauses, which is the standard mechanism for UK GDPR-compliant transfers.

11. How long we keep data

• Server access logs: rotated within 30 days.
• Search queries beyond the log line: we don't keep them. Once we've returned the fare to your browser, the query parameters are not persisted on our side.
• Browser sessionStorage: wiped when you close the browser tab, or after 30 minutes of inactivity, whichever comes first.

12. Your rights

Under the UK GDPR you have the right to:

• Ask what personal data we hold about you.
• Ask us to correct any incorrect data.
• Ask us to delete your data.
• Object to our processing of your data.
• Ask for your data in a portable format.
• Withdraw consent where processing is based on consent.

In practice we hold very little - just rotating server logs - so most requests can be handled in minutes. Email jadebrowsercontact@gmail.com with your request. We may ask you to verify your identity (typically by confirming the IP address or approximate timestamps of your visits) so we know we're acting on the right person's request. We respond within one calendar month.

13. Complaints

If you are unhappy with how we have handled your personal data, please contact us first so we can put it right. You also have the right to complain to the UK Information Commissioner's Office (ICO):

• Phone: 0303 123 1113
• Web: www.ico.org.uk

14. Changes to this policy

We may update this policy when our practices change. When we do, the "last updated" date at the top of this page changes. Material changes will be flagged on the journey planner home page for at least 30 days.