delayrepay.io

Public beta — We're still improving delayrepay.io. Sign-up is free while we're in beta; you may occasionally run into bugs or issues on the site. Thanks for your patience Report an issue.

← Back

Last updated: 2026-04-17

Privacy policy

This policy describes how we collect, use, and protect personal data when you use delayrepay.io("we", "us", "our"). It applies to visitors and registered users.

1. Data controller

The operator of delayrepay.io is the data controller for personal data processed through this website. Before you go live, replace this paragraph with your legal name and contact details as required by UK GDPR.

2. What we collect

Account and profile. If you register, we process your email address and optional display name. Sign-in credentials are handled by Supabase Auth(our authentication provider); we do not store your password in application code. Saved-route preferences you choose (for example stations, date ranges, travel days, ticket-type labels) may be stored on our hosting provider's storage.

Route searches and historic data. When you look up a route, our servers send parameters (such as stations, dates, and time windows) to third-party rail data services so we can show historic performance. Those requests may be logged by those providers under their own policies.

Issue reports.If you use "Report an issue", we store the details you submit (for example description, category, optional contact fields, page URL, and technical context such as viewport size) to investigate and improve the Service.

Usage analytics. We use privacy-oriented analytics (for example Vercel Analytics) to understand traffic and performance. That typically involves aggregated or pseudonymous data rather than a full history of everything you type.

Device storage. Your browser may store data locally (for example recent searches, cached journey details for navigation between pages, and UI preferences). This stays on your device unless you clear it; it is not the same as data we hold on our servers.

Technical logs. Like most sites, hosting infrastructure may create server or security logs (IP address, timestamps, URLs, error messages) for reliability and abuse prevention.

3. Why we use your data (purposes)

  • To provide the Service (accounts, saved routes, route results, journey views).
  • To secure the Service and prevent abuse.
  • To respond to feedback and issue reports.
  • To understand how the Service is used and to improve it.
  • To meet legal obligations where they apply.

4. Legal bases (UK GDPR)

Where UK GDPR applies, we rely on:

  • Contract — processing needed to provide features you ask for (for example maintaining your account).
  • Legitimate interests — for example running secure hosting, analytics at an appropriate level, and improving the Service, balanced against your rights.
  • Consent — where we ask for it (for example non-essential cookies or marketing, if we add them and request consent separately).
  • Legal obligation — where the law requires us to process data.

5. Sharing and processors

We use trusted service providers ("processors") to host and operate the Service, including storage, authentication, and analytics. They process data only on our instructions and under contractual safeguards. We do not sell your personal data.

Historic rail data is obtained via APIs operated under National Rail / industry arrangements; those operators process query data under their own terms.

6. International transfers

Data may be processed in the UK and the European Economic Area, and in other countries where our providers operate (for example the United States). Where data leaves the UK/EEA, we use appropriate safeguards such as the UK extension to the EU-US Data Privacy Framework or standard contractual clauses, depending on the provider and the date of transfer.

7. Retention

We keep personal data only as long as needed for the purposes above. Account data is kept while your account is active; after closure we delete or anonymise it within a reasonable period unless we must retain limited information for legal reasons. Issue reports may be kept for troubleshooting and quality for a limited time. Server logs are rotated on a typical hosting schedule.

8. Security

We use industry-standard measures appropriate to the Service (for example encrypted connections, hashed passwords, and access-controlled storage). No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. Your rights

Under UK data protection law you may have rights to access, rectify, erase, restrict, or object to certain processing, and to data portability, in each case subject to exceptions. You may also lodge a complaint with the ICO (ico.org.uk).

To exercise your rights, contact us via Report an issue or the contact details we publish here once added. We may need to verify your identity.

10. Cookies and similar technologies

We use cookies and similar technologies needed for sign-in sessions and for analytics as described above. You can control cookies through your browser settings; disabling some cookies may limit functionality (for example staying signed in).

11. Children

The Service is not aimed at children under 13 (or under 16 where stricter local rules apply). We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

12. Changes

We may update this policy from time to time. We will adjust the "Last updated" date and, where changes are material, provide a reasonable notice on the Service where practicable.

13. Related

See also our Terms and conditions.