Privacy Policy - Global Rail Group
Last updated: 17. 03 .2026
1. Introduction
Thank you for your interest in Global Rail Group and for visiting our website. The protection of your personal data is important to us. Below, we inform you in detail about how we handle your personal data and what rights you have in this regard.
This Privacy Policy applies to all personal data processed in connection with your use of our website. Please read it carefully.
1.1. Data Controller
The controller responsible for data processing on this website is:
Global Rail Group
Am Tabor 42, 1020 Vienna, Austria
1.2. Data Protection Contact
Global Rail Group has not appointed a Data Protection Officer, as we are not legally required to do so under Art. 37 GDPR. For all matters relating to the processing of your personal data and the exercise of your rights under this Privacy Policy, please contact our internal data protection contact:
Global Rail Group
Am Tabor 42, 1020 Vienna, Austria
2. How We Collect and Use Your Data
2.1. Processing and Use of Your Personal Data
Personal data is any information that allows conclusions to be drawn about your identity, such as your name or email address. We are committed to the principles of data minimization and purpose limitation. This means that personal data is only collected to the extent necessary and is only retained for as long as required for the purpose for which it was collected.
We process your personal data on the following legal bases, depending on the context:
- Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR), where processing is necessary to fulfil a contractual relationship with you or to take steps at your request prior to entering into a contract.
- Consent (Art. 6(1)(a) GDPR), where you have given us explicit consent to process your data for a specific purpose. You may withdraw your consent at any time; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
- Legitimate interests (Art. 6(1)(f) GDPR), where processing is necessary for our legitimate business interests and these are not overridden by your rights and interests.
Where we engage external service providers in connection with this website, we select them with care and bind them contractually by means of Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR. These agreements govern the nature, scope, and purpose of any data processing carried out on our behalf and ensure that our data protection standards are upheld.
2.2. Automatically Generated Data
When you visit our website, certain information is automatically recorded in the form of server log files. This includes the browser type and version, operating system, referring URL (the previously visited website, where our site was accessed via a hyperlink), and the date and time of access.
This data is used exclusively for the anonymous analysis of user behaviour with the aim of improving our website. No individual analysis of user behaviour takes place, and this data is not merged with other data sources or used to identify individual users. IP addresses are not used to identify individual users and are not retained beyond what is technically necessary for the operation of the server infrastructure.
Log file data is retained for a maximum of 30 days and is then automatically deleted.
The legal basis for this processing is our legitimate interest in the secure and stable operation of our website, in accordance with Art. 6(1)(f) GDPR.
2.3. Inquiry Forms
You can submit enquiries to us via the contact forms on our website. In doing so, we collect your name, company name, email address, phone number, and any other information you provide in connection with your enquiry. This data is used exclusively to process and respond to your request.
Our forms are protected by Google reCAPTCHA to prevent automated misuse. Please refer to the Google reCAPTCHA section of this Privacy Policy for further details.
Enquiry data is retained for the duration of the communication and any resulting contractual relationship. Where no contract results from the enquiry, data is deleted no later than three years after our last contact with you.
The legal basis for this processing is Art. 6(1)(b) GDPR where the enquiry relates to a potential contractual relationship, and Art. 6(1)(f) GDPR (our legitimate interest in responding to and documenting enquiries) in all other cases.
2.4. Newsletter
We use the Odoo platform to send our newsletter to subscribers. Odoo is a service provided by Odoo S.A., Chaussée de Namur 40, 1367 Grand-Rosière, Belgium. As Odoo is headquartered within the EEA, no international data transfer takes place in connection with this service. A Data Processing Agreement in accordance with Art. 28 GDPR is in place with Odoo S.A.
Subscription to our newsletter is not automated. We add subscribers manually on the basis of a prior expression of interest. The data we process in this context is limited to your name and email address, and is used exclusively for the purpose of sending you our newsletter.
The legal basis for this processing is your consent in accordance with Art. 6(1)(a) GDPR. You may withdraw your consent and unsubscribe from the newsletter at any time by contacting us at office@global-rail-group.com or by clicking the unsubscribe link included in every newsletter. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Newsletter subscriber data is retained for as long as you remain subscribed. Upon unsubscribing, your data will be deleted within 30 days.
3. Cookies and Third-Party Technologies
3.1. Cookies
To enhance the user experience on our website, we use cookies. Cookies are small text files stored on your device by your browser. They are harmless and serve purely functional or analytical purposes.
We use two types of cookies. Session cookies are temporary and are automatically deleted when you close your browser. Persistent cookies remain on your device for a defined period of time and allow us to recognize your browser on your next visit; they are automatically deleted after their set expiry date, but can also be deleted manually at any time through your browser settings.
You can configure your browser to notify you when cookies are set and to allow or block them individually. Please refer to your browser’s help or settings menu for further information. Please note, however, that restricting cookies may limit the functionality of certain parts of our website.
Where cookies are used for analytics or other non-essential purposes, this is done only on the basis of your prior consent (Art. 6(1)(a) GDPR). You can provide, manage, or withdraw your consent at any time via our cookie consent tool. Session and strictly necessary cookies are used on the basis of our legitimate interest in the proper functioning of the website (Art. 6(1)(f) GDPR).
3.2. Use of Third-Party Technologies for Web Analysis
To improve our services and online presence, we use cookies and other technologies from third-party providers on our website. The use of these technologies is based solely on your prior consent in accordance with Art. 6(1)(a) GDPR. You may withdraw your consent at any time via our cookie consent tool; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Data collected through these technologies is deleted either when the underlying purpose has been fulfilled or when you withdraw your consent, subject to the specific retention periods described in the individual sections below.
For details on each technology used, including the data collected, its purpose, and the applicable retention periods, please refer to the following sections of this Privacy Policy.
3.3. Use of Google Services - General
This website uses services provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). As a European user, your data may be processed by Google in the United States or other countries outside the EEA. Google has certified under the EU–U.S. Data Privacy Framework, and Standard Contractual Clauses are in place to safeguard such transfers.
For more information on how Google processes your data, please refer to Google’s Privacy Policy:
3.4. Google Analytics
This website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics automatically collects certain information about how you interact with our website, including your IP address (which is anonymised before transmission), the time of your visit, details about your device and browser, and how you navigate our pages. This information is used to create pseudonymised usage profiles. Cookies are used in this context.
Your IP address is neither stored in full nor combined with other data held by Google. A Data Processing Agreement (DPA) in accordance with Art. 28 GDPR is in place with Google.
As Google is based in the United States, your data may be transferred to and processed on servers outside the EEA. Such transfers are safeguarded by Google’s certification under the EU–U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses.
To improve the marketing performance of our website, we have enabled Google Analytics data sharing with “Google products and services”. This allows Google to access data collected through Google Analytics and use it to enhance its own services. This data sharing is based on a separate agreement between independent data controllers. Please note that we have no control over how Google subsequently processes this data.
The legal basis for the use of Google Analytics is your consent in accordance with Art. 6(1)(a) GDPR, which you can provide or withdraw at any time via our cookie consent tool. Where no consent is required, processing is based on our legitimate interest in analysing website usage in accordance with Art. 6(1)(f) GDPR.
You may opt out of Google Analytics tracking at any time by installing the Google Analytics Opt-out Browser Add-on:
https://tools.google.com/dlpage/gaoptout
For more information on how Google processes your data, please see Google’s Privacy Policy: https://policies.google.com/privacy
3.5. Google reCAPTCHA (v2)
This website uses Google reCAPTCHA (“reCAPTCHA”), a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). reCAPTCHA is used to verify whether data entered in forms on this website has been submitted by a person or by an automated program, thereby protecting our forms from spam and abuse.
When you interact with a reCAPTCHA-protected form, reCAPTCHA analyses your behaviour to distinguish human users from automated programs. The analysis is based on information collected at the time of interaction, which may include your IP address, dwell time on the page, mouse movements, and other interaction data relating to the reCAPTCHA checkbox. This information is transmitted to and processed by Google.
As Google is based in the United States, your data may be transferred to and processed on servers outside the EEA. Such transfers are safeguarded by Google’s certification under the EU–U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses.
The use of reCAPTCHA is based on our legitimate interest in protecting this website from automated abuse and ensuring the integrity of our web forms, in accordance with Art. 6(1)(f) GDPR. You may object to this processing at any time under Art. 21 GDPR; however, please note that without reCAPTCHA, the affected forms may not be available or functional.
For more information on how Google processes your data, please see Google’s Privacy Policy and Terms of Service:
https://policies.google.com/privacy
4. Third-Party Services and External Links
4.1. Third-Party Processors - General
Beyond the services described individually in this Privacy Policy, we may engage other carefully selected third-party processors in connection with the operation of this website and our business. All such processors are bound by Data Processing Agreements in accordance with Art. 28 GDPR and are contractually required to process personal data only on our instructions and in compliance with applicable data protection law.
All third-party processors used in connection with this website, other than Google as described above, are based within the European Union (EU). No international data transfer to third countries takes place in connection with these services.
4.2. Hyperlinks to Third-Party Websites
This website may contain links to third-party websites. These links are provided for your convenience and information only. We have no control over the content, privacy practices, or data processing activities of any linked external websites, and we accept no responsibility for them.
When you follow a link to an external website, please be aware that you are leaving our website and that the privacy policy of that third-party site will apply. We encourage you to review the Privacy Policy of any external website you visit before submitting any personal data.
4.3. Links to Social Networks
This website contains links to LinkedIn, a social network operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. This link is provided solely for your convenience and to allow you to connect with us on LinkedIn.
When you click on the LinkedIn link, your browser establishes a direct connection with LinkedIn’s servers. LinkedIn may receive information about your visit to our website, including your IP address and the page you were visiting at the time. If you are logged into your LinkedIn account at the time of clicking, LinkedIn may be able to associate this information with your account. Please note that even if you are not logged in, LinkedIn may be able to identify and track your device through the use of cookies or similar technologies, particularly if you have previously visited LinkedIn.
To prevent LinkedIn from associating your visit with your account, we recommend logging out of LinkedIn before clicking the link. LinkedIn is solely responsible for any data processing that occurs as a result of clicking the link. We have no control over the scope, nature or purpose of that processing.
The provision of this link is based on our legitimate interest in maintaining a presence on professional social networks and making it easy for users to connect with us, in accordance with Art. 6 (1)(f) GDPR.
For full details on how LinkedIn processes your personal data, please refer to LinkedIn’s Privacy Policy: https://www.linkedin.com/legal/privacy-policy.
5. Data Security and Retention
5.1. Secure Data Transfer
We protect our website through appropriate technical and organisational measures designed to safeguard your personal data against accidental unlawful loss, destruction, unauthorized access, alteration, disclosure, or dissemination, in accordance with Art. 32 GDPR.
All data transmitted to and from our website is encrypted via HTTPS. This ensures the confidentiality and integrity of communication between your browser and our web server, and prevents third parties from intercepting or tampering with data in transit.
While we take protection of your data seriously and continuously review our security measures, please be aware that no method of transmission over the internet is entirely without risk. We therefore cannot guarantee absolute security, but we are committed to applying industry-standard safeguards at all times.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will fulfil our notification obligations in accordance with Art. 33 and Art. 34 GDPR.
5.2. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. The following retention periods apply to the main categories of data we process:
Processing Activity | Data Retained | Retention Period |
Server log files | Browser type, OS, referring URL, access time | 30 days |
Enquiry forms | Name, company, email, phone, enquiry content | 3 years after last contact |
Newsletter | Name, email address | Until unsubscription + 30 days |
Google Analytics | Pseudonymised usage data | 2 months (GA4 setting) |
Google reCAPTCHA | Interaction data | As per Google’s retention policy |
Where retention is based on a legal obligation or the establishment, exercise, or defence of legal claims, data may be retained beyond the periods stated above to the extent required by applicable law.
6. Your Rights
6.1. Your Data Protection Rights
Under the General Data Protection Regulation (GDPR), you have the following rights in relation to your personal data:
Right of access (Art. 15 GDPR): You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed.
Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete data we hold about you.
Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn your consent and no other legal basis applies, among other circumstances.
Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while the accuracy of the data is being contested.
Right to data portability (Art. 20 GDPR): Where processing is based on your consent or on a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Right to object (Art. 21 GDPR): Where processing is based on our legitimate interests, you have the right to object to that processing at any time on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defence of legal claims.
We will respond to any request to exercise your rights within one month of receipt, in accordance with Art. 12(3) GDPR.
Right to lodge a complaint (Art. 77 GDPR)
If you believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Austria, this is:
Österreichische Datenschutzbehörde (Austrian Data Protection Authority) Barichgasse 40–42, 1030 Vienna www.dsb.gv.at
How to exercise your rights
To exercise any of the above rights, or if you have any questions or suggestions regarding data protection, please contact us at:
Global Rail Group
Am Tabor 42, 1020 Vienna
6.2. Automated Decision-Making and Profiling
We do not carry out any automated decision-making or profiling as defined in Art. 22 GDPR that produces legal or similarly significant effects for you. No decisions about you are made solely on the basis of automated processing.
7. Changes to this Privacy Policy
We keep this Privacy Policy under regular review and will update it as necessary to reflect changes in our data processing practices, legal obligations, or applicable regulations. The date at the top or bottom of this page indicates when the policy was last updated.
Any changes we make will be published on this website. Where changes are material — for example, where we introduce new purposes for processing your data or share your data with new third parties — we will take reasonable steps to bring these changes to your attention, such as through a notice on our website or, where appropriate, by direct notification.
Any changes to this Privacy Policy will comply with applicable data protection law and will not retrospectively restrict the rights you had under the version of the policy in place when your data was collected, unless we are required to do so by law or have obtained your consent where required.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.
