Privacy policy

At Tracsis Plc, we are strongly committed to keeping your information safe. We know and understand that your privacy is important to you, and that you care about how your personal data is used. We respect and value the privacy of everyone who visits our website, www.tracsis.com and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

Please read this Privacy Notice carefully and ensure that you understand it. Your acceptance of this Privacy Notice was requested when you joined the website.

1. Introduction

Tracsis plc and its subsidiaries (“Tracsis,” “we,” “us,” “our”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy (“Policy”). This Policy explains how we collect, use, and protect your personal data when you interact with us.

This Policy applies to Tracsis plc and its subsidiaries (together, “Tracsis”), each of which may collect and process personal data in connection with their business activities.

2. Who we are

Tracsis is a leading provider of software, hardware, data analytics/GIS and services for the rail, traffic data and wider transport industries. We provide a range of services including transport data analytics, traffic and event management, rail operations and safety systems, smart ticketing, software development, and consultancy services to both public and private sector clients. Tracsis is headquartered in Leeds, England, but we have operating locations throughout the UK, Ireland and North America.

The Tracsis group of companies includes (but is not limited to):

• Tracsis plc (a company registered in England & Wales under company number 05019106)

• Compass Informatics UK Limited (a company registered in England & Wales under company number 08029553)

• MPEC Technology Limited (a company registered in England & Wales under company number 03921641)

• Tracsis Events Limited (a company registered in England & Wales under company number 03524447)

• Tracsis Rail Technology & Services Limited (a company registered in England & Wales under company number 03949810)

• Tracsis Traffic Data Limited (a company registered in England & Wales under company number 03896384)

• Compass Informatics Limited (registered in Ireland)

• RailComm LLC (registered in North America)

Some Tracsis subsidiaries operate outside of the United Kingdom and the European Union and therefore outside the scope of UK and EU GDPR. All Tracsis entities follow the same data protection principles and security standards as those required under the UK GDPR and EU GDPR, except in circumstances where a local law, duty or obligation conflicts with the GDPR. In such circumstances, the law in that jurisdiction will always prevail.

Where a Tracsis subsidiary located outside the UK or EU process personal data of individuals in those regions, your data protection rights under this Policy will apply unless otherwise prohibited by the local law, and requests may be submitted to Tracsis’s Data Protection Team.

Where processing relates solely to data originating outside the UK and EU, those rights may not be applicable under the law. However, Tracsis remains committed to handling all personal data to equivalent standards of fairness, transparency, and protection.

3. What information we collect, use, and why

At Tracsis, we collect and use personal data to provide our clients, partners, and suppliers with high-quality services and solutions. This section outlines the types of personal data we collect, how we use it, and the reasons for processing it.

Depending on the nature of our relationship, Tracsis may act either as:

• A data controller, when determining how and why personal data is processed in connection with our own business activities (such as client account management, supplier relations, marketing, or recruitment); or

• A data processor, when processing personal data on behalf of a client or third party under contract and according to their written instructions.

When acting as a processor, we process data strictly in line with our client’s directions and our contractual obligations. In these circumstances, the client’s privacy notice will explain how your personal data is used.

3.1. Types of Personal Data We Collect

We may collect and process the following types of personal data, depending on the nature of our relationship and the services we provide:

For more information about cookies and how we use them, please see our Cookies Policy.

3.2 How We Use Your Personal Data

We process personal data for several purposes, including:

(a) To Provide and Deliver Our Services

• We use business contact and operational data to manage client accounts, deliver transport data services, event management solutions, and consultancy services, and ensure the quality and continuity of our products.

(b) To Fulfil Our Contractual Obligations

• Contractual and financial data is used to process orders, issue invoices, manage service agreements, and maintain ongoing communication with clients and suppliers.

(c) To Meet Legal and Regulatory Requirements

· We process compliance data to adhere to legal obligations such as tax reporting, right-to-work checks, data protection laws, and health and safety regulations.

(d) To Improve Our Products and Services

• Operational and service data (e.g. passenger flows, vehicle movement data) is analysed to monitor and improve service delivery, performance, and system design, ensuring we meet client needs.

(e) For Marketing and Communication Purposes

• We use marketing data to send targeted communications about our services, new product offerings, and relevant industry insights. We only send marketing materials that are aligned with the client or partner’s interests and roles in the industry.

(f) To Ensure Security and Prevent Fraud

• Technical data is processed to ensure secure our systems, prevent fraud, ensure the integrity of data and services, and manage any incidents that may arise.

3.3 Why We Process Your Personal Data

The processing of your personal data is necessary for the following reasons:

(a) Consent

• Where required (for example, for marketing communications), we will seek your explicit consent to process your personal data. You can withdraw your consent at any time.

(b) Contractual Necessity

• We have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

(c) Legitimate interests

• We process personal data based on our legitimate interests in providing and improving our services, managing business relationships, and marketing products within the transport, infrastructure, and technology sectors. We ensure this does not override your rights and freedoms.

(d) Legal Obligations

• We have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

(e) Public Task

• Where we process personal data on behalf of, or in collaboration with, a public authority or transport body in the performance of a task carried out in the public interest (for example, traffic data collection, event management for local authorities, or transport infrastructure analysis).

3.4 Special Category Data

In limited circumstances, Tracsis may collect and process special category data as part of recruitment, onboarding, and employment-related activities.

Special category data includes information that requires additional protection such as:

(a) Racial or ethnic origin

(b) Religious or philosophical beliefs

(c) Health information (including disability or workplace adjustments)

(d) Sexual orientation information

We only process this information where necessary for lawful employment and compliance. We protect this data with enhanced confidentiality and access controls, limiting visibility to authorised staff only. All special category data is retained only as long as necessary in line with our Data Retention Policy and securely deleted once no longer required.

3.5 How We Protect Your Personal Data

We take the security of your personal data seriously. We implement a variety of technical, physical, and organisational measures to ensure the confidentiality, integrity, and availability of personal data. These measures include encryption, secure access controls, regular security assessments, and employee training.

4. Our Legitimate Interests

We rely on the lawful basis of legitimate interests where processing personal data is necessary for the effective operation of our business, provided that such interests are not overridden by your rights and freedoms.

Our legitimate interests include:

(a) Delivering and improving our services. Providing transport data analytics, event and traffic management, rail operations systems, and technology solution to our clients which may include public bodies.

(b) Managing client and supplier relationships. Maintaining professional communications, fulfilling contracts, and ensuring continuity of service.

(c) Ensuring business efficiency and operational management. Administering internal processes such as project coordination, auditing compliance monitoring, and record management.

(d) Developing and enhancing our products and systems. Analysing usage, feedback, and performance data to improve the quality, reliability, and safety of our software and services.

(e) Promoting and marketing our services. Communicating with existing and prospective clients and business partners about our services, events, or industry insights that may be relevant to their professional role.

(f) Maintaining IT and network security. Protecting systems, networks, and information against unauthorised access, cyber threats, or data breaches.

(g) Protecting our legal and commercial interests. Managing risk, preventing fraud or misuse, and defending or pursuing legal claims when necessary.

(h) Ensuring health, safety, and security. Safeguarding our employees, contractors, visitors, and event participants through incident reporting and operational monitoring.

(i) Supporting public interests’ projects. Assisting local authorities, transport operators, and public sector clients in carrying out their statutory duties and public service functions.

(j) Internal governance and group administration. Sharing data to the extent that is reasonably necessary within Tracsis to streamline internal management, finance, People, compliance, and reporting functions.

5. How Long We Keep Information

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, regulatory, contractual, or operational requirements. Once data is no longer needed, it is securely deleted or anonymised in accordance with our Data Retention Policy.

6. Who We Share Information With

We treat personal data with care and confidentiality and only share it where necessary, lawful, and proportionate to support the delivery of our services to meet legal and regulatory requirements.

Depending on the nature of our relationship and the services provided, we may share personal information with the following categories of recipients:

6.1 Within Tracsis

Personal data may be shared among Tracsis entities to support internal administration, shared services, business operations, and compliance functions.

All Tracsis companies operate under contractual, technical, and organisational measures to ensure data is protected and used lawfully.

6.2 Clients and Public Authorities

Where Tracsis provides services on behalf of, or in collaboration with, public authorities, transport bodies, or private sector clients, we may share personal data with these organisations to fulfil our contractual or statutory obligations.

In such cases, data is only shared to the extent necessary for the agreed purposes, in accordance with our role as a data controller or data processor, as defined under the UK GDPR.

6.3 Service Providers and Professional Advisers

We engage third-party suppliers to assist with certain business and operational functions. These may include:

(a) IT and cloud hosting providers;

(b) Data analytics, software, and system support services;

(c) Professional advisers (such as legal, financial, and audit firms);

(d) Payroll and People Team management providers; and

(e) Security, facilities, and logistics contractors.

All third parties acting as data processors on our behalf are required to:

(f) Process data only in accordance with our written instructions;

(g) Maintain confidentiality; and

(h) Implement appropriate technical and organisational security measures.

6.4 Regulators, Government Bodies, and Law Enforcement

We may disclose personal data where required to do so by law or regulation, or where we believe disclosure is necessary to:

(i) Respond to lawful requests or investigations by regulatory, governmental, or law enforcement authorities;

(j) Protect our legal rights or defend against legal claims; or

(k) Detect, prevent, or report suspected fraud, misconduct, or security incidents.

6.5 Event or Project Partners

In certain projects or events, Tracsis may work jointly with partners, contractors, or local authorities to deliver transport or event management solutions.

Personal data may be shared where necessary to coordinate event logistics, ensure safety, and manage operational requirements, under data-sharing or joint-controller agreements.

6.6 International Data Transfer

Where necessary, we will transfer personal data outside of the UK, including between Tracsis entities that are not registered in the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

6.7 Safeguards and Data Protection Measures

Whenever we share personal data, we ensure that:

• Only the minimum data necessary is shared;

• Sharing is conducted under a lawful basis;

• Appropriate data protection agreements or data sharing agreements are in place; and

• Transfers outside the UK or EEA are safeguarded through mechanisms such as UK International Data Transfer Agreements (“IDTAs”) or Standard Contractual Clauses (“SCCs”).

We do not sell or rent personal data to third parties for marketing.

7. Your Data Protection Rights

Under the UK GDPR, you have several rights in relation to the personal data that we hold about you. Tracsis respects and upholds these rights, and you may exercise them at any time by contacting us using the details provided in the Contact us section of this Policy.

Depending upon our relationship with you and the lawful basis for processing, your rights may include:

(a) Right of Access

You have the right to request access to the personal data we hold about you and to receive a copy of that information, together with details about how and why it is processed.

(b) Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you to ensure it is accurate and up to date.

(c) Right to Erasure (“Right to be Forgotten”)

You have the right to request the deletion of your personal data where:

• It is no longer necessary for the purpose for which it was collected;

• You have withdrawn your consent (where processing was based on consent); or

• You have objected to the processing and there are no overriding legitimate grounds for us to continue.

Please note that we may retain certain data where necessary to comply with legal obligations, resolve disputes, or establish or defend legal claims.

(d) Right to Restrict Processing

You have the right to request that we temporarily suspend the processing of your personal data where:

· You contest its accuracy;

· The processing is unlawful but you do not wish it to be deleted;

· The data is no longer needed by Tracsis but you require it for legal purposes; or

· You have objected to the processing, and we are considering your request.

(e) Right to Data Portability

Where processing is based on your consent or by contract, and is carried out by automated means, you have the right to request that we provide your data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

(f) Right to Object

You have the right to object to processing carried out under legitimate interest or public task bases where you believe it impacts your rights and freedoms.

You also have the right to object to receiving direct marketing from us at any time. We will respect all objections and stop processing your data for those purposes unless we have compelling legitimate grounds to continue.

7.1 How to Exercise Your Rights

If you wish to exercise any of your data protection rights, please refer to the Contact us section below for details on how to get in touch with our Data Protection Team.

We may need to verify your identity before responding to your request. Once verified, we aim to respond within one month, as required by law.

If your request is complex or we receive multiple requests, we may extend this period by up to two further months and will notify you accordingly.

8. Automated Decision-Making and Profiling

Tracsis does not make decisions about individuals based solely on automated processing that produce legal or similarly significant effects. If this changes, we will update this Policy and inform you before such processing takes place.

9. Your Right to Complain

If you are concerned about how we handle your personal data, please contact us in the first instance.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioner’s Office (“ICO”), the UK’s independent data protection authority.

10. Contact us

If you have any questions about how we collect or use personal data, please contact us at:

11. Changes to this Privacy Policy

We may update this Policy from time to time to reflect changes in our business operations, legal requirements, or data protection practices. Any updates will be published on our website.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data and privacy rights.

12. Last updated

This Privacy Policy was last updated on 05 November 2025