Privacy Policy

The Bogie is a real-time community platform for Indian Railways passengers. It allows verified ticket holders to connect with fellow passengers on the same train during their journey. We are not affiliated with IRCTC, Indian Railways, or any government body.

Contact: hello@thebogie.com

We collect as little as possible:

• PNR hash — Your PNR number is passed to the IRCTC verification API to confirm you hold a valid ticket. It is then cryptographically hashed (SHA-256) and only the hash is stored. The original PNR is never saved.
• Nickname and bio — The anonymous name you choose, and an optional short bio (max 20 words). No real name, phone number, or email is collected.
• Coach and seat number — Taken from your PNR to identify you within your train's room.
• Messages — Chat messages you send within the train room.
• Moments — Photos and stories you choose to share during your journey.
• Direct messages — Private conversations between passengers.
• Anonymous session token — Supabase anonymous authentication creates a session. No email or password is used.
• Usage analytics — Anonymised events (e.g. "message sent", "swap posted") via PostHog to help us improve the product. No personally identifiable information is included in analytics.

• Your real name
• Your phone number or email address
• Your raw PNR number (it is hashed immediately and discarded)
• Your location or GPS coordinates
• Your device identifiers or advertising IDs
• Any information from your device beyond what is listed above

Journey-scoped deletion is the core design of The Bogie. When your train arrives at its final destination:

• All chat messages in the room are permanently deleted.
• All photos and moments posted to the room are permanently deleted.
• All direct messages between passengers are permanently deleted.
• All swap requests are permanently deleted.
• The passenger records (nickname, bio, seat) are permanently deleted.

This deletion is automatic and irreversible. We do not archive, back up, or retain any of this data after the room expires.

Image files uploaded to Moments are stored in Supabase Storage and are also deleted when the room expires.

We use the following third-party services to operate The Bogie:

• Supabase (supabase.com) — Database, authentication, real-time messaging, and file storage. Data is stored on servers in the EU/US. Supabase is GDPR compliant.
• IRCTC PNR API (via RapidAPI) — Used only to verify that your PNR is a valid ticket. No data is stored by us from this API beyond the hash of your PNR.
• Google Places API — Used only in the Utilities tab to show nearby places at stations you tap. No personal data is sent to Google.
• PostHog — Anonymised product analytics. Events contain no personally identifiable information.
• Vercel — Hosting provider for the web application. Standard server access logs may be retained per Vercel's policy.

We do not use advertising cookies or tracking pixels. We use browserlocalStorage to remember your session (nickname and room) within your browser so you do not need to re-enter your PNR on every visit during the same journey. This data is local to your device and is cleared when your room expires.

You have the right to:

• Access — Request a copy of any data we hold about you (linked to your anonymous session).
• Deletion — Request immediate deletion of your data at any time. You can also simply wait — everything is deleted automatically at journey end.
• Portability — Request your data in a machine-readable format.

To exercise any of these rights, email us at hello@thebogie.com. Because accounts are fully anonymous, we will need your session token or nickname to identify your records.

The Bogie is intended for passengers who hold their own valid Indian Railways ticket. We do not knowingly collect data from children under 13. If you believe a child has used The Bogie, please contact us.

All communication between your browser and our servers is encrypted via HTTPS. PNR numbers are hashed immediately on the server before any storage. API keys are never exposed to the client. Our API routes require authentication tokens. We apply rate limiting to prevent abuse.

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. Continued use of The Bogie after a policy update constitutes acceptance of the new policy.