FareGuard
HomeTerms of Service

FareGuard Privacy Policy

Effective date: February 2026
Last updated: February 2026

This Privacy Policy explains how FareGuard collects, uses, stores, and protects personal data when you use our services.

FareGuard is committed to processing personal data lawfully, fairly, and transparently in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)

1. Who We Are

FareGuard is the data controller responsible for the personal data described in this policy.

Controller legal name: FareGuard Ltd
Registered address: 64 Lincoln Street, Birmingham, B12 9EX
Company number: 16810407
Website: https://fareguard.co.uk

Email: hello@fareguard.co.uk

FareGuard has determined that it is not required to appoint a Data Protection Officer. Data protection enquiries may be directed to the contact details above.

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO): https://ico.org.uk

2. Overview of How FareGuard Works

FareGuard is a software service that helps identify potential UK rail delay compensation eligibility.

When you connect your Gmail account using Google OAuth, FareGuard performs automated processing to detect rail booking confirmation emails and extract relevant journey data.

Our data processing pipeline is designed around strict data minimisation:

  • Read-only Gmail access is established via Google OAuth.
  • Emails are programmatically scanned for recognised rail booking confirmations only.
  • Non-relevant emails are immediately discarded and not retained.
  • Relevant booking emails are parsed to extract structured journey data.
  • Email content (subject, body, sender information) is redacted and not stored at rest.
  • Only structured journey data necessary to provide the service is retained.
  • We do not modify, send, or delete emails in your Gmail account.

3. Personal Data We Collect

3.1 Account Information

  • Email address obtained through Google Sign-In
  • Authentication identifiers and session information

3.2 Gmail Booking Email Data (Limited Access)

Where you connect Gmail, we access booking confirmation emails issued by rail operators for the sole purpose of identifying journeys.

From relevant booking emails we extract structured data such as:

  • Travel dates
  • Departure and arrival locations
  • Ticket or booking reference
  • Train operator
  • Journey details

Full email content is not stored after processing.

Non-relevant emails are not retained.

3.3 Derived Journey and Claim Data

  • Structured journey records
  • Eligibility assessments
  • Claim tracking information
  • Compensation status

3.4 Technical and Service Data

  • Log files and diagnostics
  • Security monitoring data
  • System performance information

This data is used to maintain and secure the service.

3.5 Support Communications

If you contact us, we may process:

  • Your email address
  • Message content
  • Support history

4. Data We Do Not Intentionally Collect

FareGuard does not intentionally collect:

  • Passwords
  • Unrelated email content
  • Advertising identifiers
  • Precise location data
  • Device tracking data
  • Biometric or special category data

5. How We Use Personal Data

We process personal data to:

  • Provide the FareGuard service
  • Identify rail journeys
  • Assess potential refund eligibility
  • Assist with claims
  • Maintain service security
  • Provide support
  • Improve system reliability
  • Comply with legal obligations

6. Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR:

Performance of a contract (Article 6(1)(b))
To provide the FareGuard service you request, including scanning booking emails and identifying refund eligibility.

Consent (Article 6(1)(a))
To access your Gmail account via Google OAuth.
You may withdraw this consent at any time by disconnecting your account.

Legitimate interests (Article 6(1)(f))
To:

  • Maintain system security
  • Prevent misuse
  • Improve reliability
  • Operate and administer the service

We balance these interests against your rights and freedoms.

Legal obligation (Article 6(1)(c))
Where required for regulatory, accounting, or legal compliance.

7. Google Account and Gmail Integration

When you connect your Google account:

  • Access is read-only
  • Processing is automated and programmatic
  • Only relevant booking emails are analysed
  • Non-relevant emails are not retained
  • Full email content is not stored at rest
  • Human review occurs only where strictly necessary for technical support

You may revoke access at any time through:

  • Google account permissions, or
  • The FareGuard dashboard

8. Google API Services User Data Policy

FareGuard’s use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Gmail data is used solely to provide the FareGuard service requested by the user.

Gmail data is not used for:

  • Advertising
  • Profiling unrelated to refund identification
  • Training machine learning models
  • Sale or transfer for independent third-party use

9. Additional Google User Data Protections (Limited Use Compliance)

FareGuard accesses Gmail data solely to provide the user-requested functionality of identifying rail booking confirmation emails and generating journey monitoring and compensation eligibility notifications.

FareGuard does not use Google user data for advertising, marketing, profiling unrelated to the requested service, or training machine learning or artificial intelligence models.

FareGuard does not sell, transfer, or disclose Gmail data to third parties except to service providers that are strictly necessary to operate the Service and who are contractually bound to process data only on FareGuard’s documented instructions and in accordance with applicable data protection law.

Access to Gmail-derived data by FareGuard personnel is strictly limited and controlled. Human access may occur only where necessary for technical troubleshooting, security investigation, or user-requested support. All such access is logged, access-restricted, and subject to confidentiality obligations.

FareGuard implements technical and organisational safeguards to protect Google user data, including encryption in transit and at rest, access controls, authentication mechanisms, monitoring, and secure infrastructure management.

FareGuard’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

10. Automated Processing

FareGuard uses automated processing to assess whether journeys may be eligible for delay compensation schemes.

This assessment:

  • Does not produce legal or similarly significant effects
  • Does not determine compensation outcomes
  • Does not replace decisions made by rail operators

11. Data Sharing

We do not sell personal data.

We share personal data only with:

  • Service providers acting on our instructions
  • Technical infrastructure providers
  • Legal or regulatory authorities where required

All processors are contractually bound to protect personal data.

12. International Transfers

Where personal data is transferred outside the UK, we implement appropriate safeguards such as:

  • UK International Data Transfer Agreement (IDTA)
  • Standard contractual clauses
  • Adequacy regulations where applicable

13. Data Retention

We retain personal data only as long as necessary for the purposes described.

Users may request deletion of their FareGuard account and associated data directly within the FareGuard dashboard under Account Settings, or by contacting support. Upon deletion, Gmail access is revoked and all associated personal data is permanently removed from FareGuard systems except where retention is required by law.

Typical retention periods:

Data typeRetention
OAuth tokensUntil account disconnection
Structured journey and claim dataWhile account active and for 12 months after inactivity
Technical debugging data7 to 14 days
Support correspondenceUp to 12 months
Legal and financial recordsAs required by law

When no longer required, data is securely deleted or anonymised.

14. Account Disconnection and Deletion

If you disconnect Gmail or delete your FareGuard account:

  • OAuth tokens are revoked
  • Associated personal data is deleted
  • Processing stops immediately

Some data may be retained where required by law.

15. Cookies and Similar Technologies

FareGuard uses cookies and similar technologies necessary to:

  • Maintain secure sessions
  • Operate the service
  • Ensure technical functionality

Access to production systems containing Gmail-derived data is restricted to authorised personnel on a least-privilege basis. Administrative access requires strong authentication and is monitored. Encryption keys are managed using secure key management processes. System access and data processing activities are logged and regularly reviewed.

We do not use advertising or tracking cookies.

Where non-essential cookies are introduced, we will obtain consent in accordance with PECR.

16. Security Measures

We implement appropriate technical and organisational security measures including:

  • Encryption in transit and at rest
  • Access control and authentication safeguards
  • Data minimisation and redaction
  • Monitoring and logging
  • Secure hosting infrastructure

No system can be guaranteed completely secure, but we continuously review our protections.

17. Your Data Protection Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent

We respond to requests within one month where required by law.

To exercise your rights, contact: hello@fareguard.co.uk

18. Changes to This Policy

We may update this policy from time to time. Material changes will be published on our website.

End of Policy