1. At a glance
Third Rail Systems OÜ ("Third Rail", "we", "us") builds a minimum-disclosure compliance layer for enterprise travel risk. Our commercial thesis is that identity-bearing data should remain on the traveller's device and never enter our systems or our customer's HRIS. This notice explains the narrow set of personal data we do process — primarily for our public website and pilot-intake flow — and your rights under the EU General Data Protection Regulation (GDPR).
- We do not centrally collect or store GDPR Article 9 "special-category" data.
- We do process limited contact data when you voluntarily submit our pilot-request form.
- We do use PostHog (EU region) for privacy-respecting product analytics on this website.
- We are registered in Tallinn, Estonia. Our processing operates under EU jurisdiction by design.
2. Data Controller
Third Rail has not appointed a statutory Data Protection Officer (GDPR Art. 37) at this stage; the CEO exercises the privacy-contact function. A DPO will be appointed prior to any processing that triggers an Art. 37 obligation.
3. What we process, and why
3.1 Website visitors
When you visit thirdrailsystems.ee, our EU-hosted infrastructure processes the following technical data for the sole purpose of delivering and securing the site: IP address, user agent, referrer, and request timestamps. This data is retained in operational logs for a maximum of 30 days and is not used to build a behavioural profile of you outside the analytics scope described below.
- Lawful basis: Article 6(1)(f) GDPR — legitimate interest in operating and securing our website.
3.2 Pilot-request intake form
When you submit the pilot-request form on our homepage, we collect only: first name, last name, corporate email address, and your role (e.g. CSO, DPO, ERG lead). We use this information exclusively to respond to your enquiry, assess pilot fit, and (if relevant) enter pre-contract negotiations with your organisation.
- Lawful basis: Article 6(1)(b) GDPR — steps taken at your request prior to entering into a contract — with Article 6(1)(f) as a secondary basis for the operational notification of our sales team.
- Retention: up to 24 months from submission, after which unactioned enquiries are deleted.
- Anti-abuse: we process your IP address and submission timing transiently to apply rate-limits and honeypot detection. These values are not stored alongside your contact record after the check completes.
3.3 Product analytics (PostHog)
We use PostHog (operated by PostHog Inc., with an EU data-region available) to measure aggregate usage of our marketing site — including events like memo_viewed, memo_read_completed, and pilot_request_submitted. These events are associated with an anonymous device identifier and are not joined to your identity on our side unless you subsequently submit the pilot-request form, at which point we may associate the anonymous identifier with your contact record solely to qualify the enquiry (e.g. whether you read our Strategic Memo before submitting).
- Lawful basis: Article 6(1)(f) GDPR — legitimate interest in understanding how our thesis is received by the prospective-customer audience.
- Opt-out: see the Cookies notice for controls. You can disable analytics at any time.
3.4 The product itself — our "minimum-disclosure" architectural commitment
Third Rail's production platform — the minimum-disclosure compliance layer sold to enterprise customers — is deliberately designed so that we never act as a Controller of a traveller's special-category personal data. When a customer deploys the platform, identity inputs (e.g. protected-trait signals relevant to travel risk) remain encrypted on the traveller's device; our stateless synthesis layer cross-references destinations against local penal codes without logging those inputs centrally. The enterprise remains the Controller of standard itineraries, and Third Rail operates as a Processor under a Data Processing Agreement that will be executed prior to any pilot activation.
4. Recipients and international transfers
We disclose your personal data only to the processors strictly necessary to run the website and respond to enquiries. As of this version we use:
- Resend Inc. — transactional email delivery for notifying us of your pilot-request submission. Contracted under Resend's standard DPA.
- MongoDB (EU-region cluster). Database of record for pilot-request submissions.
- PostHog, Inc. — product analytics; we use (or will use, pending migration) the EU data region to keep processing within the EU.
Where a processor is established outside the EEA, the transfer is governed by an executed Data Processing Agreement incorporating the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, supplementary measures consistent with the EDPB's Recommendations 01/2020. We do not currently rely on derogations under Article 49 GDPR.
5. Your rights under GDPR
You have the right, subject to the conditions set out in the GDPR, to:
- Access the personal data we hold about you (Art. 15).
- Request rectification of inaccurate data (Art. 16).
- Request erasure where one of the grounds in Art. 17 applies.
- Request restriction of processing (Art. 18).
- Obtain your data in a portable, machine-readable format (Art. 20).
- Object to processing based on our legitimate interests (Art. 21).
- Lodge a complaint with your local EU supervisory authority or with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
To exercise any of these rights, write to privacy@thirdrailsystems.ee. We will respond within one month of receipt (Art. 12(3)).
6. Security
We maintain organizational and technical measures appropriate to the nature of the data we process: encryption in transit (TLS 1.2+), encryption at rest for the pilot-requests datastore, least-privilege access, and audit logging. Our production platform extends these measures with on-device encryption of identity inputs, stateless synthesis, and immutable vector logging — consistent with the EU AI Act's expectations for limited-risk assistive decision-support systems.
7. Children
This website and our product are not directed at children under 16 and we do not knowingly process children's data.
8. Changes to this notice
We will update this notice as our processing evolves and, in all events, following counsel review. Material changes will be communicated on this page with a revised version number and date.
9. Contact
Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia.