Privacy Policy
Last updated: 19 May 2026
1. Who we are
Henley Tube ("we", "us", "our") operates the Henley Tube express coach service and this website. We are the data controller for personal data collected through this site.
Contact: info@henleytube.co.uk
2. What data we collect
When you register an account:
- Full name and email address
- Phone number (optional)
- Account credentials (password stored as a secure hash — we never see it)
When you book a ticket:
- Journey details (dates, times, passengers)
- Payment details — processed by Stripe. We store only the payment reference; no card data is held by us
When you express interest (pre-launch):
- Name and email
- Expected usage frequency and price range
- Preferred travel times
- Your marketing and consent preferences
Automatically collected:
- IP address and browser type (server logs, retained for 30 days)
- Aggregated page view and performance data via Vercel Analytics (no cross-site tracking; no personal identifiers stored)
- Cookies — see Section 6
3. How we use your data
| Purpose | Lawful basis |
|---|---|
| Fulfil your booking and process payment | Contract performance |
| Send booking confirmations and receipts | Contract performance |
| Notify you of service updates, changes or cancellations | Legitimate interests |
| Contact you about the service launch (expressions of interest) | Consent |
| Send marketing emails (if opted in) | Consent |
| Improve our website and service | Legitimate interests |
| Comply with legal obligations | Legal obligation |
4. Data retention
- Account data: retained while your account is active, deleted within 30 days of account closure
- Booking records: retained for 7 years (UK financial records requirement). Records are anonymised on account deletion — your journey history is kept but unlinked from your identity
- Expression of interest data: retained for 24 months from submission, or until you withdraw consent
- Marketing preferences: retained until you unsubscribe or withdraw consent
5. Who we share your data with
We use the following third-party processors. Each is bound by a Data Processing Agreement and handles data only as we instruct:
- Stripe Inc. (USA) — payment processing. Their privacy policy applies to card data. Stripe is certified to PCI DSS Level 1. Data transfers to the USA are covered by the UK-US Data Bridge adequacy decision.
- Supabase Inc. (USA, data hosted in EU) — secure cloud database hosting. Your data is stored in EU regions (Ireland and Frankfurt). Supabase infrastructure is subject to Standard Contractual Clauses.
- Vercel Inc. (USA) — website hosting and analytics. Vercel Analytics collects aggregated, anonymised page view data. No personal identifiers are stored. Transfers covered by Standard Contractual Clauses.
- Sentry Inc. (USA) — application error monitoring. Error reports may include technical identifiers (user IDs) to help diagnose issues. Data is pseudonymised where possible. Transfers covered by Standard Contractual Clauses.
- Inngest Inc. (USA) — background job processing for booking events (e.g. sending confirmation emails). Receives booking identifiers and user IDs only. Transfers covered by Standard Contractual Clauses.
We do not sell your personal data to any third party.
6. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| sb-access-token | Authentication session (Supabase) | Session |
| sb-refresh-token | Keeps you logged in | 1 week |
| cookie_consent | Remembers your cookie preference | 1 year |
| preview_bypass | Pre-launch preview access | 30 days |
| _vercel_analytics | Aggregated, anonymised page view analytics (Vercel) | Session |
Essential cookies cannot be disabled as they are required for the site to function. You can decline analytics cookies via the banner shown on your first visit.
7. International transfers
Some of our processors are based outside the UK. Where personal data is transferred to the USA, we rely on one of the following safeguards:
- UK-US Data Bridge — applies to Stripe, which is certified under this framework
- Standard Contractual Clauses (SCCs) — used for transfers to Supabase, Vercel, Sentry, and Inngest
8. Your rights (UK GDPR)
Under the UK General Data Protection Regulation you have the right to:
- Access — request a copy of your personal data
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (subject to legal retention obligations)
- Restriction — ask us to limit how we use your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — at any time, where processing is based on consent
To exercise any right, email info@henleytube.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
9. Changes to this policy
We may update this policy from time to time. We will notify registered users of material changes by email. The date at the top of this page will always reflect the most recent version.