← Back

Privacy Policy

railsmaps.com · Last updated: May 2026

1. Introduction

Welcome to RailsMaps. This privacy policy explains how information is collected and used when you visit railsmaps.com (the "Site").

2. Information Collected

2.1 Automatically Collected Information

When you visit the Site, certain information about your device and browsing behavior is automatically collected through cookies and similar technologies:

  • Browser type and version
  • Operating system
  • IP address (anonymized)
  • Pages visited and time spent on pages
  • Referring website
  • Date and time of visit

2.2 Personal Information

No personally identifiable information (PII) is collected through anonymous browsing. However, if you create an account, personal data is collected as described in section 2.3 below.

2.3 Account Data

When you create an account using Google Sign-In or Apple Sign-In, the following information is received from the authentication provider and stored:

  • Full name
  • Email address
  • Profile picture (if provided by the authentication provider)
  • Account creation date and last sign-in timestamp

This data is stored in a PostgreSQL database hosted by Hetzner Online GmbH, located in Nuremberg, Germany (European Union). Authentication sessions are maintained via secure, HTTP-only cookies. You can delete your account and all associated data at any time from Settings → Account. The legal basis for processing account data is the performance of the contract with you (GDPR Article 6(1)(b)).

2.4 Paid Pass, Billing, and Custom Preset Data

If you buy an Export & Customisation Pass, payment is processed by Stripe. RailsMaps does not store or receive full card numbers, CVC codes, or bank account details. Stripe may process payment method details, billing data, fraud-prevention data, and checkout cookies under its own privacy policy.

  • Stripe checkout session ID, payment intent ID, customer ID, amount, currency, plan, app, and timestamps
  • Active export entitlement status, plan duration, start/end time, and revocation status
  • Custom map preset names and preset JSON needed to sync your saved map styling
  • Anonymized billing audit records using an HMAC hash of your user ID instead of your raw user ID or email

Paid pass data may be shared across RailsMaps and FreakMaps because one pass unlocks both apps for the same shared account.

3. Cookies and Tracking Technologies

3.1 What Are Cookies

Cookies are small text files stored on your device when you visit the Site. They help understand how you use the Site and improve your experience.

3.2 Types of Cookies Used

Essential Cookies (Required)

These cookies are necessary for the Site to function properly:

  • Cookie Consent (railsmaps-cookie-consent): Stores your cookie preferences · Authentication Session (better-auth.session_token): Maintains your signed-in state; only set when you create an account and sign in. This cookie is strictly necessary to provide the account feature and cannot be disabled while signed in.

Analytics Cookies (Optional)

These cookies help understand how visitors use the Site:

  • Google Analytics: Tracks page views, session duration, and user behavior to help improve the Site

3.3 Managing Cookies

You can manage your cookie preferences using the cookie consent banner that appears when you first visit the Site. You can also control cookies through your browser settings. Most browsers allow you to refuse cookies or delete cookies that have already been set. Note that disabling cookies may affect the functionality of the Site.

4. Google Analytics

Google Analytics is used to analyze how visitors use the Site. Google Analytics uses cookies to collect information such as:

  • Number of visitors
  • Pages visited
  • Time spent on the Site
  • Geographic location (country/city level)
  • Device and browser information

Google Analytics data is anonymized and does not identify individual users. For more information about how Google uses data, visit Google's Privacy Policy.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

5. Cloudflare Web Analytics

The Site uses Cloudflare Web Analytics, which collects Real User Measurements (RUM) to monitor site performance. This includes metrics such as page load times, time to first byte, and other performance indicators.

Cloudflare Web Analytics is privacy-friendly: it does not use cookies, does not track individual users across sites, and does not collect personal data. All data is aggregated and anonymized. For more information, see Cloudflare's Privacy Policy.

6. Map Tiles and Third-Party Services

The interactive maps use base map tiles built from OpenStreetMap (OSM) data. By default, all map tiles — including the base map and railway data overlays — are served from RailsMaps' own servers. No third-party tile servers are contacted during normal use.

When you view maps on the Site:

  • Base map tiles and railway data overlays are loaded from RailsMaps' own tile server
  • Map label fonts and icon sprites are loaded from GitHub Pages (protomaps.github.io), which means your IP address may be visible to GitHub
  • If you manually switch to an OpenStreetMap raster base map in the settings, tiles will be loaded directly from OpenStreetMap servers and your IP address will be visible to them

For more information, see the OpenStreetMap Privacy Policy and GitHub Privacy Statement.

7. How Information Is Used

The collected information is used to:

  • Provide and maintain user accounts and authentication services
  • Process paid export/customisation passes and enforce entitlement status
  • Store and sync custom map presets for signed-in users
  • Understand how visitors use the Site
  • Improve Site functionality and user experience
  • Analyze traffic patterns and trends
  • Identify and fix technical issues
  • Optimize content and features

8. Data Sharing and Disclosure

Your information is not sold, traded, or rented to third parties. Data may be shared with the following processors and services:

  • Hetzner Online GmbH: Database and server hosting for account data (Nuremberg, Germany, EU). Hetzner Privacy Policy
  • Google (Sign-In): OAuth authentication provider. When you sign in with Google, your browser communicates with Google servers. RailsMaps only stores the profile data returned after successful authentication. Google Privacy Policy
  • Apple (Sign-In): OAuth authentication provider. When you sign in with Apple, your browser communicates with Apple servers. RailsMaps only stores the profile data returned after successful authentication. Apple Privacy Policy
  • Stripe: Payment processor for paid Export & Customisation Pass checkout, payment confirmation, refunds, disputes, fraud prevention, and tax/accounting records. RailsMaps does not store full card details. Stripe Privacy Policy
  • Google Analytics: For website analytics purposes (anonymized data)
  • Cloudflare: For performance monitoring via Real User Measurements (no personal data collected)
  • GitHub Pages: When loading map label fonts and icon sprites (your IP address may be visible)
  • OpenStreetMap: Only if you manually select an OSM raster base map in the map settings (your IP address may be visible)

Information may be disclosed if required by law or to protect rights and safety.

9. Affiliate Links

The Site contains affiliate links to third-party rail and travel booking partners. When you click an affiliate link (for example, the "Book tickets" partner links in the sidebar), you are redirected through a tracking URL that may set cookies on your device so the partner can attribute a booking to RailsMaps and pay a commission. RailsMaps does not receive your name, email, payment details, or any other personal information from these bookings — only aggregated, anonymous click and conversion counts.

The current affiliate partners and their tracking domains are:

  • Trainline via Partnerize (prf.hn, thetrainline.com)
  • Omio via Impact (omio.sjv.io, omio.com)
  • 12Go Asia (12go.asia)
  • JRPass.com (click.jrpass.com, jrpass.com)

These partners typically use a 30-day cookie window for last-click attribution. You can block these cookies in your browser settings or use tracking-protection extensions; doing so will not affect your ability to use the Site or to book travel directly with the partner.

For details on how each partner processes data, see Trainline's Privacy Policy, Partnerize's Privacy Policy, Omio's Privacy Policy, Impact's Privacy Policy, 12Go's Privacy Policy.

10. Data Retention

Analytics data is retained for up to 26 months. Cookie consent preferences are stored for 12 months. Account data (name, email, profile picture) is retained for as long as your account is active and deleted upon account deletion. Authentication session data is retained until you sign out or the session expires. Custom map presets, checkout attempts, and active export entitlements are deleted with your account. Minimal anonymized Stripe audit records may be retained as long as needed for tax, accounting, dispute, refund, fraud-prevention, and legal compliance.

11. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to Access: Request information about data we hold about you
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data — account holders can exercise this directly by deleting their account in Settings → Account. Some anonymized billing audit records may be retained where required for legal, tax, accounting, refund, dispute, or fraud-prevention reasons.
  • Right to Restrict Processing: Request limitation of data processing
  • Right to Data Portability: Request transfer of your data
  • Right to Object: Object to data processing
  • Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at the email address below.

12. International Data Transfers

Account data is stored exclusively in the European Union — specifically on servers hosted by Hetzner Online GmbH in Nuremberg, Germany. Analytics and performance data processed by Google Analytics and Cloudflare may be subject to transfers outside the EEA; both services operate under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR.

13. Security

Reasonable security measures are implemented to protect information from unauthorized access, alteration, or destruction. However, no internet transmission is completely secure.

14. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time. Changes will be posted on this page. Continued use of the Site after changes constitutes acceptance of the updated policy.

15. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, please contact:

Email: [email protected]

Website: railsmaps.com

16. Attribution

Map data © OpenStreetMap contributors, available under the Open Database License (ODbL). Base map styling powered by Protomaps, an open-source map project. Paid export removes only the RailsMaps/FreakMaps brand watermark; required map/source attribution remains.