Skip to main content
πŸŽ‰ European Pyjama Party β€” September 26, 2025 β€’ 19:00–20:00 CEST
000 days left

Back-on-Track mobilises Europe's night train comebackβ€”map dreams, organise station crews, and bring policy wins to life.#NightTrainsForFuture

Learn the missionJoin the Discord

Privacy Policy

πŸ”’

Privacy by Design

This platform implements Privacy by Design principles mandated by GDPR Article 25. We collect minimal data, use privacy-first analytics with no cookies, and store personal data exclusively in the EU with appropriate safeguards.

Last Updated: August 22, 2025 |Next Review: February 22, 2026 |GDPR Compliance Version: 2025

1. Data Controller Information

Data Controller: Back-on-Track Action Group
Legal Status: European non-profit advocacy organization
Registration: AISBL (International Non-Profit Association under Belgian Law)
Primary Contact: Contact form
Data Protection Officer: Available upon request for high-risk processing activities

2. Scope and Territorial Application

This privacy policy applies to the processing of personal data of individuals within the European Union (EU) and European Economic Area (EEA) in connection with our night train advocacy platform. As a non-profit advocacy organization, we process personal data under the same legal obligations as commercial entities per GDPR Article 2.

3. Legal Basis for Processing (GDPR Article 6)

We process personal data based on the following legal grounds:

3.1 Consent (Article 6(1)(a))

  • Email communications: Explicit opt-in consent for advocacy updates
  • Event participation: Consent for September 26 Pyjama Party coordination
  • Marketing: Separate granular consent for non-essential communications

Consent is freely given, specific, informed, and unambiguous per GDPR Article 7. You may withdraw consent at any time with equal ease.

3.2 Legitimate Interest (Article 6(1)(f))

  • Advocacy statistics: Anonymous aggregation for EU policy demonstration
  • Platform security: Technical logs for fraud prevention and security
  • Research: Anonymous route demand analysis for transport planning

Legitimate Interest Assessment (LIA) available upon request. Balancing test conducted considering your fundamental rights and freedoms.

4. Categories of Personal Data Processed

4.1 Data Collected with Explicit Consent

Data CategoryPurposeLegal BasisRetention
Dream Routes (stations)EU advocacy demonstrationLegitimate InterestAnonymized after 30 days
Motivation textPolicy argumentationLegitimate InterestAnonymized after 30 days
Email address (optional)CommunicationsExplicit ConsentUntil withdrawal
Name (optional)PersonalizationExplicit ConsentUntil withdrawal
Event participation preferenceEvent coordinationExplicit Consent30 days post-event

4.2 Technical Data (No Personal Data)

  • Analytics: Page views via Plausible (EU-based, no cookies, no IP tracking)
  • Performance: Anonymous web vitals for platform optimization
  • Security logs: Server access logs (IP addresses hashed, 7-day retention)

5. Data Processing Principles (GDPR Article 5)

Lawfulness & Transparency

Clear legal basis, plain language privacy information

Purpose Limitation

Data used only for stated advocacy and event purposes

Data Minimization

Only essential data collected, optional fields clearly marked

Accuracy & Storage Limitation

Regular data reviews, automatic retention management

6. Data Transfers and International Processing

6.1 EU Data Residency

βœ… Primary Data Storage: All personal data is stored in the EU (AWS eu-west-3, Paris, France) via Supabase with full GDPR compliance and EU data residency.

6.2 Third Country Processing

Website Hosting (Vercel - US)

  • Data Processed: No personal data stored on Vercel servers
  • Function: Website delivery only (static content, API routing)
  • Safeguards: Standard Contractual Clauses (SCCs 2021) + Technical Measures
  • Assessment: Transfer Impact Assessment (TIA) completed January 2025
  • Alternative: EU-US Data Privacy Framework (when applicable)

6.3 Analytics (EU-Based)

Plausible Analytics (EU infrastructure) - No personal data, no IP tracking, no cross-site tracking, GDPR Article 6(1)(f) legitimate interest.

7. Data Subject Rights (GDPR Articles 15-22)

πŸ›‘οΈ Your Rights Under GDPR

πŸ” Right to Access (Article 15)

Request a copy of all personal data we hold

✏️ Right to Rectification (Article 16)

Correct inaccurate or incomplete data

πŸ—‘οΈ Right to Erasure (Article 17)

Request deletion of your personal data

⏸️ Right to Restrict Processing (Article 18)

Limit how we process your data

πŸ“¦ Right to Data Portability (Article 20)

Export your data in machine-readable format

🚫 Right to Object (Article 21)

Object to legitimate interest processing

Exercise Your Data Rights β†’

Response within 30 days (extendable to 60 days for complex requests per Article 12(3))

8. Data Security and Technical Measures

πŸ” Encryption & Transport Security

  • TLS 1.3 encryption for all data transmission
  • AES-256 encryption at rest for database storage
  • Perfect Forward Secrecy (PFS) for all connections

πŸ›οΈ Infrastructure Security

  • SOC 2 Type II compliant hosting (AWS/Supabase)
  • ISO 27001 certified data processing facilities
  • Regular security audits and penetration testing

πŸ‘₯ Access Controls

  • Role-based access control (RBAC) with minimum necessary access
  • Multi-factor authentication (MFA) for administrative access
  • Audit logging of all data access activities

9. Cookies and Electronic Communications

πŸͺ Cookie-Free Analytics

We do not use tracking cookies. Our platform is designed with privacy by design:

βœ… Essential Only

  • Session management (login state)
  • Consent preferences storage
  • CSRF protection tokens

❌ No Tracking

  • No analytics cookies
  • No advertising cookies
  • No third-party trackers

Per ePrivacy Directive (2002/58/EC) and GDPR Article 7, consent for essential cookies is not required.

10. Data Breach Notification

In accordance with GDPR Articles 33 and 34, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Affected individuals will be notified without undue delay when the breach is likely to result in high risk to rights and freedoms.

11. Automated Decision-Making and Profiling

βœ… No Automated Decision-Making: This platform does not engage in automated decision-making or profiling activities as defined in GDPR Article 22. All processing is for advocacy statistics and human review.

12. Children's Data Protection

This platform is not directed at children under 16 years of age. In accordance with GDPR Article 8, we do not knowingly collect personal data from children. If you are under 16, please obtain parental consent before using this platform.

13. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. As we operate across the EU, you may contact your local Data Protection Authority or:

Lead Supervisory Authority:
Commission Nationale de l'Informatique et des LibertΓ©s (CNIL) - France
www.cnil.fr/en/home

14. Policy Updates and Notification

This privacy policy may be updated to reflect changes in legal requirements, processing activities, or organizational practices. Material changes will be communicated via:

  • Email notification (if you provided consent)
  • Prominent website notice for 30 days
  • Updated "Last Modified" date

15. Contact and Complaints

πŸ“§ Privacy Contact Information

Privacy Team: giovanni.backontrac@gmail.com

Data Protection Requests: Self-service portal

General Contact: giovanni.backontrac@gmail.com

Response Time: Within 30 days (up to 60 days for complex requests)

Document Version: 2.0 (GDPR 2025 Compliance)

Last Updated: August 22, 2025

Next Scheduled Review: February 22, 2026

Legal Framework: GDPR, ePrivacy Directive, EU-US DPF, SCCs 2021