Privacy Policy

This Privacy Policy explains how Railr collects, uses, stores, and protects personal data in connection with access to and use of the Railr platform, network, and API.

The Railr network is operated by Railr Inc., a c corporation registered in the State of Wyoming, United States of America. Railr intellectual property is owned by Caradon Enterprises Inc., incorporated in the Republic of Panama, under licence to Railr Inc. References to Railr, we, us, or our in this policy refer to Railr Inc. and its associated entities operating under the Railr brand.

This policy applies to all individuals whose personal data is processed in connection with the Railr network, including applicants, authorised representatives of institutional participants, liquidity providers, API users, and any other individuals who interact with Railr directly.

Railr is committed to processing personal data in accordance with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR 2016/679).

The data controller responsible for your personal data is:

For all data protection enquiries, requests, or complaints, please contact us at legal@railr.io.

As the Railr group structure develops, this policy will be updated to reflect any changes to the data controller or the introduction of additional group entities responsible for processing personal data.

Railr collects personal data that is necessary for the operation of a permissioned institutional network. The categories of personal data we collect include:

Railr collects personal data:

• Directly from you when you submit an application for network access.
• Through the onboarding and verification process including data collected via our KYC provider.
• Through your ongoing use of the Railr platform, website, and API.
• From publicly available sources including company registries and sanctions databases as part of our compliance obligations.
• From third party verification and screening services as part of our AML and KYB processes.

API usage data and request logs are collected automatically through your API integration. This data is used for security monitoring, rate limit enforcement, audit log generation, and network performance analysis.

Railr processes personal data on the following lawful bases under UK GDPR and EU GDPR:

Railr uses personal data to:

• Assess and process applications for network access.
• Conduct identity, business, and compliance verification including KYC, KYB, sanctions screening, and AML checks.
• Onboard and activate verified participants on the Railr network.
• Issue and manage API credentials and access controls.
• Communicate with you regarding your application, participation status, platform updates, and security notices.
• Operate, maintain, and improve the Railr platform, API, and network.
• Monitor network and API activity for security, fraud prevention, and compliance purposes.
• Generate and maintain immutable audit logs of participant activity.
• Meet our legal and regulatory obligations.
• Analyse website usage and platform performance through analytics tools.
• Enforce our Terms of Use and other applicable agreements.

Railr shares personal data with carefully selected third party service providers where necessary for the operation of the platform. These providers act as data processors on our behalf and are contractually required to process personal data only on our instructions and in accordance with applicable data protection law.

Current third party processors include:

Railr may engage additional third party processors from time to time, including cloud infrastructure providers, security monitoring services, and compliance tooling providers. Where this involves a material change to how personal data is processed, this policy will be updated accordingly.

The Railr network is operated by Railr Inc., a c corporation registered in the State of Wyoming, United States of America. Personal data collected from individuals in the United Kingdom or European Union may be transferred to and processed in the United States or other jurisdictions outside the UK and EEA.

Where personal data is transferred internationally, Railr takes appropriate steps to ensure that such transfers are made in accordance with applicable data protection law, including through the use of standard contractual clauses or other appropriate safeguards where required.

Third party processors including Google LLC and Vercel may also process personal data in the United States or other jurisdictions. Where applicable, transfers to these processors are governed by standard contractual clauses or equivalent transfer mechanisms recognised under UK GDPR and EU GDPR.

Railr retains personal data only for as long as is necessary for the purposes for which it was collected, subject to any legal or regulatory obligations requiring longer retention periods.

Specific retention periods include:

When personal data is no longer required, it is securely deleted or anonymised in accordance with our data management procedures.

Personal data processed through API access is subject to the same protections as data collected through the platform directly.

API request logs are retained as part of the participant audit log and are accessible to the relevant participant at any time. Logs include request timestamps, endpoint accessed, IP address of the requesting system, and response status. Logs do not include the content of quote responses or pricing data from other participants.

API credentials including key identifiers and permission scope configurations are stored securely. API secrets are hashed and are not recoverable after initial issuance. If an API secret is lost or suspected to be compromised, the participant must revoke the affected key and issue new credentials immediately.

IP whitelist configurations are stored against the participant account and applied to all API requests in real time.

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

To exercise any of these rights, please contact us at legal@railr.io. We will respond to all legitimate requests within one month. In complex cases we may extend this period by a further two months, in which case we will notify you.

Railr uses cookies and similar tracking technologies on its website. For full details of the cookies we use, the purposes for which they are used, and how to manage your cookie preferences, please refer to our Cookie Policy at railr.io/cookies.

Railr implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption of data in transit using TLS 1.3 and at rest.
• Access controls limiting data access to authorised personnel only.
• Two-factor authentication on all platform and administrative access.
• API key scoping and IP whitelisting controls.
• Regular security monitoring and review.
• Contractual security obligations imposed on all third party processors.

For full details of Railr's security implementation, please refer to our Security page at railr.io/security.

The Railr platform is intended solely for use by institutional participants, professional counterparties, and qualified individuals. Railr does not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data has been collected from a minor, we will take steps to delete it promptly.

Railr may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or platform operations. The date at the top of this policy indicates when it was last updated. Where changes are material, we will notify active participants directly.

If you are not satisfied with how Railr has handled your personal data, you have the right to lodge a complaint with the relevant supervisory authority.

We would encourage you to contact us at legal@railr.io in the first instance so that we have the opportunity to address your concern directly.