Privacy Policy


Trainhugger is committed to protecting and respecting your privacy when you use our services.

This Privacy Policy explains:

  • What personal data we collect from you when you interact with us, such as when you use our website, apps or complete surveys;
  • How we collect and use that information;
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

The data controller is:

Migaloo Ltd. (trading as Trainhugger)
27-29 The Hop Exchange
24 Southwark Street

Registered in England

Company Number: 12185670

Our Data Protection Manager is:

Felix Tanzer
27-29 The Hop Exchange
24 Southwark Street

More information about the Data Protection Act can be found on the Information Commissioners Website. The Information Commissioner is our regulator for data protection matters.

Information we may collect from you

We may collect and process information about you when you: buy tickets, use our website or apps, respond to a survey, use a product from us or make a sales enquiry; contact Customer Relations, enter a competition or sign up to receive updates or marketing.

We collect information such as your contact details, ticket purchases, stations visited, payment and refund details. We may require additional details for some services, such as your age for age restricted tickets, or health and/or data about your accessibility needs in order to assist you with your travel. This information is generally provided by you.

Sometimes we obtain details from third parties, for example if we have taken over a franchise or a complaint is passed to us from another operator.

How we use your information

We will only use the information you provide as permitted by Data Protection Law. This depends on how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have, such as ensuring that our services are accessible.

We may use information held about you in the following ways:

  • To provide you with the service – things like carrying out our obligations arising from any contracts such as selling tickets, and making and taking payments. We mostly rely on the legal ground of contractual performance to process your data.
  • To provide you with details of our services and information about travelling, and customer service.
  • To provide you with details of promotions and offers which we feel may interest you when you have given consent for us to contact you. You have an absolute right to ask us to stop sending marketing emails or notifications. We use information like the tickets you buy and stations you use to make communications to you more relevant.
  • To comply with our legal obligations to customers, as well as legal obligations relating to Franchise Contracts, Local Authority Contracts, the Department for Transport and Regulators.
  • For your safety and security.
  • For fraud and crime prevention.
  • To enhance your experience of our website and app, as described in our cookie policy.
  • To run competitions and surveys.

Sharing or disclosure of your information

We will only share or disclose your information as set out in this Policy or in accordance with Data Protection Law and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. We may share or disclose information for the following reasons:

  • We use data processors to provide or assist with some of our services. Where we do so, they must agree to strict contractual terms and to keep your data secure.
  • Where we share data with third parties such as train operators, this is only in accordance with a written data sharing agreement.
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body such as the Department for Transport; Passenger Focus; the Rail Ombudsman, or train operating companies;
  • To comply with requests from the police or other law enforcement agencies for the purposes of crime prevention or detection. These are dealt with on a case-by-case basis, to ensure that any disclosure is lawful;
  • To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
  • To protect our legitimate business interests, for example, for fraud prevention or revenue protection;
  • If you have agreed to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose;
  • We have a policy in place for one off sharing of data, such as a request from an insurance company.

You can find out more below about the information we collect and how we use, share or disclose it.

When we collect information

Website visits and purchases

This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:

  • Collection of visitor information
  • Links
  • Cookies
  • Passwords
  • Financial Information

Collection of Visitor Information

We will only use the information that we collect about you lawfully, in accordance with the Data Protection Law.

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by us on this website (the “Site”) for operational purposes, for example customer registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.

We gather general information about users, for example, what services users access the most and which areas of the site are most frequently visited. Such data is used in the aggregate to help us to understand how the site is used. We gather this information so that we can continue to improve and develop our services to benefit our users. We may make this aggregated information available to users of the site and also to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

When you register with us to set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with us and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the products or services that you use.

You may opt-in to receive newsletters, exclusive discounts, special offers, updates on your trees planted, Trainhugger projects and other marketing emails from us. You may unsubscribe at any time by logging in to your account and updating your preferences.

Please note changes to your subscription preferences can take up to 14 days to take effect.

Alternatively you can write to our Customer Relations Team at:


For your convenience, our website and apps may contain links to sites owned and operated by third parties. They have their own privacy policies, and we urge you to review them before browsing those sites. We do not accept any responsibility or liability for the privacy practices of such third-party websites and your use of such websites is at your own risk.


A cookie is a small piece of information that is sent to your browser when you access a website. Cookies contain information about your visits to that website and the purpose of cookies is to enable our websites to remember you, and your browsing habits, when you visit it again in the future.

With most Internet browsers you can configure your browser so that it refuses new cookies, prompts you to accept cookies or disables cookies altogether. Exactly how this is done is dependent on the browser you use.

To find out more about the cookies we use please visit our cookie policy.


In order to increase security we ask you to input a password when you register as a user of the site. Please keep this password secret.

Financial Information

We encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the Internet. SSL as of November 2020 is certified by Let’s Encrypt and is recognised as a secure way to pay on-line. As you may be aware, no data transmission over the Internet can be entirely secure. We will always use reasonable endeavours to protect the personal information you provide to us but we cannot guarantee the security of your information and the use of our facilities (e.g. email) is at your own risk.

If you have any questions about paying for your ticket through the Site, please contact Customer Relations. Trainhugger will never ask for your financial information outside the booking process.

Where we store your personal information

The information that we collect from you will only be stored in the European Economic Area or in the United Kingdom. With consent, your name may be used in order for Trainhugger to send you emails via a third party platform such as MailChimp.

Information security

We use a range of technical and organisational measures to safeguard access to and use of your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

Your Rights

Object to direct marketing

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

  • Indicate this by NOT ticking the box to be sent marketing emails (or offers)
  • If you have an account with us, by logging in and changing your contact preferences;
  • Click the unsubscribe link on direct marketing emails or
  • Or contact us

It is possible that you may receive a pre-scheduled communication whilst your request is being processed as this can take several days. If you have any other objections as to how we are using your personal data, please contact our Data Protection Manager.

Ask for a copy of your personal data

You are entitled to request a copy of the personal information we hold about you.

Please contact us at Please let us know if you want to receive the information electronically. We aim to get the information to you without undue delay and within 30 days.  If we have any trouble with this timeframe. we will let you know within 30 days and explain what the problem is. Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or contain someone else’s personal data.

In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.

Rectification / restriction

If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it.  You may also request any data processing we are carrying out on your data is halted whilst a request for rectification or objection or a dispute over the lawfulness of processing is being considered.

We will provide a response confirming the action we have taken or disagree with taking within 30 days, or provide a response within 30 days if the matter is complex and a further time is needed.

Deletion – right to be forgotten

You can request deletion or removal of personal information in some circumstances, such as when there is no compelling reason for its continued processing.

We will provide a response to you without undue delay and within 30 days, confirming whether/what personal data we have deleted and/or explaining why some data does not need to be deleted.

Withdrawal of Consent

If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting Customer Relations, our Data Protection Manager or the Data Protection Officer.  Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time by updating your preference centre or clicking on the appropriate link in the communication or contacting us as above. We will comply with your request without undue delay and within 30 days.


You also have a right to request that no further processing takes place in relation to some grounds of processing, such as for direct marketing. We will respond to your request without undue delay and within 30 days, confirming the action we will or won’t take.


Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information to be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.

If we are able to provide your personal data in this way, we will do so in 30 days or we will let you know within 30 days if we require more time or there are any issues with carrying out the request.

Information about profiling and automated decision making

If you have signed up to receive marketing communications from us, we will use information such as the type of tickets you buy or the stations you use, to send communications which are more relevant to you. We will try and make the communications compatible with the device you are using.

We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources to help us do this effectively.

How we deal with rights requests

We will try to deal with your request without undue delay and at least within 30 days.  In exceptional circumstances, we may need to extend the time to respond fully, if the request is particularly complex or there are multiple requests. But we will let you know within 30 days.

We will not charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in data protection law – for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.


If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please let us know. Our Data Protection Manager is the first point of contact for dealing with Rights Requests and complaints, and they are assisted by Customer Relations. If you are not satisfied with their response you can complain to the ICO. Its contact details are:

Information Commissioner’s Office
Wycliffe House
Water Lane

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Visit the Information Commissioner’s website

You also have the right to seek a judicial remedy, issue legal proceedings against us.

Privacy Policy for people under 16


GDPR stands for the General Data Protection Regulation and it is now the law. it is designed to keep your personal information safe. Personal information can be your:

  • Name
  • Date of Birth
  • Home Address
  • Contact Details
  • School

Trainhugger is a “Data Controller”. This means that it collects and uses information about you. As a data controller, we are responsible for looking after your information and only using this for relevant purposes.

Data Protection Principles

GDPR has some important principles to ensure that we protect your information:

  • We must use your information lawfully, and tell you how we use your information
  • If we collect your information for one purpose we can only use it for that purpose
  • We need to keep your information up to date
  • We only keep it for as long as it is needed
  • We need to look after your information and keep it safe

Do you have to give us your information?

You must give us quite a lot of the information we need, but there is some information that you can choose whether to let us have it or not. When we ask you for information that you don’t have to give us, we will ask for your permission and let you know why we want it and what we will do with it. If you don’t want us to have the information, that’s your choice. If the information we are collecting is information that you can choose not to give, you can tell us to stop collecting it at any time.

How long will we keep your information?

We only keep your information for as long as we genuinely need it. We have a policy that tells us how long to keep it for.

Will your information be shared?

We won’t share your information with anyone else without your permission, unless the law says we can or should. If we do share your information, it will generally be with your School or Local Authority.

What are your rights?

You have the right to:

  • Be told how we use your information
  • Ask to see the information we hold
  • Ask us to change information you think is wrong
  • Ask us to remove information when it’s not needed anymore
  • Ask us to only use your information in certain ways
  • Tell us you don’t want your information to be processed

Sometimes it might be appropriate for the person who looks after you to ask us for this information.

If you’re worried about how we get and use your information, you can contact our Data Protection Manager, Felix Tanzer, at

If you want to complain about how we use your personal data, you can contact the Information Commissioner’s Officer.  You can find out more information about them by visiting

Changes to this privacy policy

We may occasionally update this statement.

Last updated April 6th 2021.