Privacy Policy

Last updated: 8 April 2026

1. Who We Are

SCART (Secure Communication Assessment Rail Track) is operated by PiPcall Ltd, registered in England and Wales. We provide safety-critical communications assessment services to the UK rail industry.

2. What Data We Collect

We collect and process the following data:

• Account information: name, email address, organisation, role
• Assessment data: audio recordings and transcripts of safety-critical communications submitted for assessment
• Personnel data: names, roles, and performance metrics of railway staff identified in assessments
• Usage data: login times, feature usage, and system interactions

3. Legal Basis for Processing

We process personal data on the following bases:

• Legitimate interest: safety-critical communications monitoring is a regulatory requirement under NR/L3/OPS/301 and the Railways and Other Guided Transport Systems (Safety) Regulations 2006
• Contractual necessity: to provide the assessment services your organisation has contracted for
• Consent: where required for optional features such as email notifications

4. How We Use Your Data

• Assessing safety-critical communications against NR/L3/OPS/301 standards
• Generating SCC Monitoring Forms (NR/L3/OPS/301/03FA)
• Tracking personnel competence and generating Development Action Plans
• Producing aggregate reports for Communication Review Groups (CRGs)
• Improving the accuracy and effectiveness of our assessment engine

5. Data Retention

Assessment data is retained in accordance with NR/L3/OPS/301/01 (Clause 6.1): recorded calls are kept for a maximum of 90 days unless required for investigation or competence purposes. Assessment results and SCC forms are retained as per your organisation's corporate records retention schedule.

6. Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) has been undertaken in accordance with NR/L3/OPS/301/02 (Clause 5) and UK GDPR requirements. This is available on request.

7. Data Sharing

We do not share personal data with third parties except:

• With your organisation's authorised personnel (line managers, assessors, CRG members) as configured in your access controls
• With enforcement agencies (BTP, ORR, RAIB) if required by law or as part of an investigation per NR/L3/OPS/301/05
• With our cloud infrastructure provider (AWS) who process data under a Data Processing Agreement

8. Your Rights

Under UK GDPR you have the right to access, rectify, erase, restrict processing, data portability, and object to processing. Contact us at privacy@pipcall.com to exercise these rights.

9. Data Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Our infrastructure is hosted in AWS eu-west-2 (London). Access is controlled through role-based access control with audit logging.

10. Contact

Data Controller: PiPcall Ltd
Email: privacy@pipcall.com