1. 1. OUR PRIVACY POLICY
    1. 1.1. This Privacy Policy of Etihad Rail Mobility – Sole Proprietorship L.L.C., organised and existing under the applicable laws of Abu Dhabi, United Arab Emirates (with licence number CN-4444690), having its principal place of business at Quartz HB Tower (Yas Place), 9th Floor, Yas Street, Yas Island, P.O. Box 7728, Abu Dhabi, United Arab Emirates (“Etihad Rail”, “we”, “us” or “our”), explains when, what, how, and why we are using your Personal Data if you have purchased a ticket with us whether on our online purchase platforms or at our selling points of the rail network, subscribed to any of our applications, newsletter or similar online subscription whether automatically generated or individually generated, contacted us (for example, using a “contact us” form, or sending us an email or calling us), or visited or used our website, (our “Website”) and/or our official mobile application available for download via major third-party mobile application platforms (including the Apple App Store and Google Play Store) (our “Mobile Apps”) and/or any other digital platform released by us or applications (collectively, our “Digital Platforms”).
    2. 1.2. Your privacy is important to us and maintaining your trust is our priority. This Privacy Policy provides a comprehensive explanation of how we collect, process, and store your Personal Data, including: (i) the specific purposes for which we process your Personal Data; (ii) the categories of third parties with whom we may share it, and the circumstances in which such sharing occurs; (iii) the safeguards we implement to protect your data if it is transferred outside the UAE; and (iv) the measures we take to ensure the security and integrity of your Personal Data. This Privacy Policy also sets out your rights as a Data Subject and how you can contact us about the use of your Personal Data. We are committed to handling your information in a manner that respects your rights under UAE law, including the Federal Decree-Law No. (45) of 2021 on the Protection of Personal Data and its executive regulations (the “PDPL”), as amended or replaced from time to time.
    3. 1.3. This Privacy Policy should be read in conjunction with our Cookie Policy and our Terms of Use, which provide further detail on how and why we collect, store, use, and share personal data generally, as well as your rights in relation to that personal data and the legal bases upon which we rely. The English version of this Privacy Policy shall prevail over any version of this Privacy Policy in another language. In the event of any inconsistency in interpretation between the English version and any translation of this Privacy Policy, the English version shall prevail.
    4. 1.4. Third Party Websites: Our Digital Platforms may contain links directing you to external websites operated by third parties. Etihad Rail does not exercise control over, and expressly disclaims any responsibility for, the operational practices of such third-party websites, including, without limitation, the manner in which they collect, process, store or otherwise handle any personal information you may provide to them. For your protection, we strongly encourage you to review the privacy policies and terms of use of any third-party website prior to providing any personal information or engaging with their services.

  1. 2. DEFINITIONS AND INTERPRETATION
    1. 2.1. In this Privacy Policy, the following words and expressions have the meanings set out below:

      (a) “we”, “our”, “ourselves”, “us”, “Etihad Rail” means Etihad Rail Mobility – Sole Proprietorship L.L.C.

      (b) “you”, “your”, “yourself”, and “passenger” means in each case any individual whose Personal Data We process in connection with the use of Our services, platforms, facilities, or communications, including passengers, visitors, users of our Digital Platforms, and anyone who contacts or interacts with us in any way.

      (c) "Controller" means any establishment or natural person who, alone or jointly with others, determines the means, methods and purposes of Processing Personal Data.

      (d) "Data Subject" means the Natural Person to whom the Personal Data relates.

      (e) "DPO" means our Data Protection Officer. You can find their contact details in the Contact Information section below.

      (f) "Natural Person" means a living human being.

      (g) "Personal Data" means any information relating to an identified or identifiable person. This includes information that, either alone or in combination with other information, can identify you. It also includes Sensitive Personal Data.

      (h) “Personal Data Protection Law” or “PDPL” means UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, as amended or replaced from time to time, including any executive regulations, decisions, or guidance issued thereunder.

      (i) "Processor" means any establishment or Natural Person who Processes Personal Data on behalf of the Controller and under the Controller’s instructions.

      (j) "Processing" means any operation or set of operations performed on Personal Data (whether by automated means or otherwise), including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.

      (k) “Sensitive Personal Data” means any data that directly or indirectly reveals a Natural Person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, financial status and activities, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.

    2. 2.2.Where the context requires so and to the extent it may be applicable, the definitions of our General Conditions of Carriage may apply to this Privacy Policy.

  1. 3. WHO ARE WE?
  2. 3.1. This Privacy Policy is provided by Etihad Rail and its affiliates. When we collect your Personal Data, we act as a “Controller” for the purposes of the PDPL, meaning that we determine the purposes and means of the Processing of your Personal Data. The affiliated entities listed in Annex A may also be Controllers or Processors of your Personal Data, and this Privacy Policy applies to their processing of your data as well. A summary of the roles of each affiliated entity is provided in Section 13 (Our List of Controllers and Processors).

  1. 4. WHEN IS THIS POLICY APPLICABLE AND WHAT INFORMATION IS COLLECTED AND USED?
  2. 4.1.This Privacy Policy applies to our collection and Processing of your Personal Data during the course of our business. Please refer to the below table to see what Personal Data we collect and when we collect it, which relates to both your and any other person(s)’ Personal Data which you share with us, and includes primarily, without limitation:

    No.

    When we collect your Personal Data

    What Personal Data we collect

    Why we collect and use your Personal Data

    1

    When you create an account on our Digital Platforms or at a station ticket office

    Identification Data: Your name, username and password, date of birth, gender, nationality, and (where applicable) identification number from an accepted form of identification, such as your Passport, Emirates ID, GCC national or resident card, or any other official identification document that includes your recent photograph and is issued by a relevant government or regulatory authority. We may update the types of identification documents we accept from time to time at our discretion.

    Biometric Data: We may offer optional biometric security features (such as, if ever implemented by us: fingerprint, facial recognition, or iris scan) to help you access your account on our Digital Platforms. We do not collect or store your biometric data - these features rely on your own device's security settings.

    Contact Data: Your email address, phone number, an emergency contact (optional but recommended), and your communication preferences.

    We need this information to create and manage your account, keep our services secure, and prevent fraud. Where you share sensitive information (such as accessibility needs), we will ask for your explicit consent.

    We may save your travel preferences and payment details to improve your booking experience. You can manage or delete your saved information anytime in your account settings.

    2

    When you use our Digital Platforms

    Geographical Data: Your residential address (where needed for bus transfers or drop-off/pick-up services) and country of residence (for invoicing purposes).

    Online Identifiers: Your IP address, cookies, device and browser identifiers, GPS location (when you enable it), and operating system information.

    We use this information to deliver our services and keep them secure. We will ask for your consent before using non‑essential cookies or tracking your precise location.

    3

    When you purchase a ticket or use guest checkout

    Payment Data: Your credit or debit card details, which are processed securely through a PCI DSS compliant third-party payment provider. We do not store your full card details - if you choose to save your payment information for future purchases, we only store a secure tokenised reference.

    Travel Data: Your ticket details, journey itinerary (including your departure and arrival stations and travel dates), booking reference, and travel history.

    We need this information to process your booking and provide you with your ticket. We may also use it to meet our legal obligations for safety and regulatory reporting.

    4

    When you contact us (enquiries, complaints, or lost property)

    Communication Data: Records of your communications with us, including emails, phone calls, social media messages, chatbot conversations, and customer service records (such as claims, complaints, and lost property requests). If relevant, we may also record dietary requirements, medical conditions, or assistance needs that you share with us.

    We use this information to respond to your enquiries and improve our services. If you share sensitive information (such as health or dietary needs), we will ask for your explicit consent.

    5

    When you visit our stations or travel on our trains

    Image and Likeness Data: Photographic and video footage captured by CCTV cameras at our stations, onboard our trains, and at other Etihad Rail facilities. Signage will inform you where CCTV is in use. We typically keep these recordings for 30–60 days, unless they are needed for an investigation or legal proceedings.

    We use CCTV for the safety and security of our passengers, staff, and facilities. This is in the public interest and may be required by law.

    6

    When you request accessibility or assistance

    Accessibility Data: Information about your accessibility or assistance needs, such as seating requirements, mobility or wheelchair assistance, and whether a companion will be travelling with you. This may include sensitive information about your disability status.

    We need this information to provide you with appropriate support and ensure you have a safe and comfortable journey. Because this may include sensitive personal data, we will ask for your explicit consent.

    7

    When you book for accompanying passengers

    Companion Data: The name, gender, age (passenger type), and any relevant concession eligibility for passengers travelling with you. By providing this information, you confirm that you are authorised to share it on their behalf.

    We need this information to process the booking and verify any applicable fare concessions.

    8

    When you use station parking facilities

    Vehicle Data: Your licence plate number and vehicle details when you book or use parking facilities at our stations. This information may also be captured through our station ANPR (automatic number plate recognition) cameras.

    We need this information to provide parking services and to help keep our stations secure.

    9

    When you connect to onboard or station Wi-Fi

    Wi-Fi Data: Your device’s MAC address, IP address, browser and operating system information; your mobile number or email (used to register for Wi-Fi and for OTP verification); and usage data such as session duration and data volume. We keep Wi-Fi registration logs for up to 12 months for security and network management purposes.

    We need this information to provide you with Wi-Fi access and to manage our network securely. If you opt in to receive marketing communications when signing up, we will rely on your consent for those.

    10

    When you sign up for marketing communications

    Marketing Data: Your contact details (email, phone), your marketing preferences (such as preferred channels, language, and topics of interest), how you subscribed, and engagement data (such as whether you open or click on our communications).

    We will only send you marketing communications with your consent. You can withdraw your consent or update your preferences at any time using the unsubscribe link in our emails or through your account settings. We will honour your request promptly.

    11

    When you take part in surveys or share feedback

    Feedback Data: Your contact details, your responses and ratings, and optional demographic information (such as age band, how often you travel, and why you travel) — all provided voluntarily.

    We use this information to improve our services. Your participation is entirely voluntary and based on your consent.

    12

    If an incident occurs onboard or at a station

    Incident Data: Statements, witness contact details, a description of the event, health data (if first aid is provided), and relevant CCTV footage. We may also share information with emergency services, police, or regulatory authorities as required.

    We are required by law to report certain safety incidents. Where we collect sensitive health data, we will seek your explicit consent where practicable.

    13

    When you use fare gates (tap-in/tap-out)

    Journey Data: Your entry station, exit station, timestamps, and ticket validation records — capturing the actual journey you take.

    We need this information to calculate your fare accurately and validate your journey.

    14

    If you are subject to ticket inspection

    Inspection Data: Your identification document details, any penalty fare payment information, notes from the inspection (including time, train service, and officer details), and verification of any concession eligibility.

    We are required to collect this information to protect revenue and enforce the terms of your ticket.

    15

    When you join our loyalty programme

    Loyalty Data: Your member ID, membership tier, points balance, qualifying journeys, and redemption history.

    We need this information to manage your membership and provide your benefits. If any benefit involves sensitive personal data, we will ask for your explicit consent.

    16

    When you apply for or use a fare concession

    Concession Data: Eligibility documents such as student ID, age verification, Emirates ID (for resident fares), POD card, or birth certificate (for child fares), along with verification records. This may include sensitive personal data where your disability status is part of the eligibility criteria.

    We need this information to verify that you qualify for the concession. If this involves sensitive personal data, we will ask for your explicit consent.

    17

    When you use our Digital Platforms (for analytics purposes)

    Analytics Data: Information about how you use our Digital Platforms, such as page views, click paths, session recordings (if used), A/B test allocations, crash logs, and advertising identifiers. This data is collected by third-party analytics providers.

    We use this information to improve our services. We will ask for your consent before using non-essential analytics or advertising tracking.

    18

    When you sign in using social login or UAE Pass

    Authentication Data: Your name, email, verified phone number, and authentication tokens. If you use UAE Pass, we also receive your Emirates ID-linked verified identity.

    We need this information to verify your identity and give you access to your account.

    19

    When you order onboard catering

    Catering Data: Your meal selections and dietary preferences (such as vegetarian, vegan, halal, allergies, or other dietary requirements) so we can provide suitable onboard catering options.

    We need this information to fulfil your catering order. If your dietary requirements reveal health information (such as allergies), we will ask for your explicit consent.

    20

    When you book through a third party (such as a travel agency or booking platform)

    Third-Party Booking Data: Your identification details (name, email, phone number), passenger type (age category), meal preferences, and any accessibility requirements (such as POD or wheelchair needs) — received from the authorised third party handling your booking.

    We need this information to fulfil your booking. If it includes sensitive personal data, the third party will have obtained your explicit consent on our behalf.

    21

    When you report lost property

    Lost Property Data: Your contact details, journey information, identification details, and a description of the lost item. We may ask for general information about the item’s contents for verification, but we will not request detailed or sensitive information unless strictly necessary.

    We use this information to help reunite you with your lost property.

    22

    When you access our station lounges

    Lounge Access Data: Your ticket or booking reference (to verify eligibility), entry time and duration, loyalty member ID (if applicable), and any food, beverage, or service preferences you share with us.

    We need this information to verify your eligibility for lounge access (whether included with your ticket fare/concession or as a loyalty reward) and to provide you with lounge services.

    23

    When you use the chatbot, virtual assistant, or AI-powered support features

    AI Interaction Data: Records of your conversations with our chatbot, virtual assistant, or other AI-powered support tools, including your questions and requests, the responses provided, timestamps, session identifiers, and any feedback you provide on the interaction. We may also collect technical data such as the device and browser you use to access these features.

    We use this information to respond to your enquiries, improve the accuracy and helpfulness of our AI-powered tools, and enhance our customer service. We may use automated decision-making to route your enquiry or suggest responses, but any decision with significant effects will be subject to human review.
  3. 4.2.We will usually collect information directly from You, however We may sometimes receive Personal Data relating to You from a third party, such as a government agency or other member of the public (if they buy a ticket on Your behalf). We will treat such Personal Data with the same level of care and control We apply to Personal Data collected directly from You.
  4. 4.3.If you provide us with Personal Data about someone else (for example, when buying a ticket for them), you confirm that you have their consent to do so. If you are buying a ticket on behalf of a person under the age of 18, you confirm that you have parental consent. Please see our General Conditions of Carriage and Passenger Charter for information about travelling with children.

  5. 4.4.If we need to collect Sensitive Personal Data from you (for example, health information for accessibility or assistance needs, or allergy declarations), we will ask for your explicit consent before processing it.

  1. 5. HOW MIGHT WE USE AND/OR SHARE YOUR PERSONAL DATA?
  2. 5.1.We only use your Personal Data for specific, clearly defined, and lawful purposes. We shall not process your Personal Data in any manner that is incompatible with those purposes without providing you with prior notice and, where required, obtaining your consent. We adhere to the principles of data minimisation and purpose limitation, meaning we collect only the Personal Data that is necessary for the stated purposes and take appropriate steps to keep it accurate, complete, and secure, in accordance with the PDPL.
  3. 5.2.We may use automated tools and technologies to support customer service, detect and prevent fraud, and improve our operations. We are committed to transparency regarding the use of automated decision-making. We do not make decisions based solely on automated processing that have legal effects or similarly significant impacts on you, without providing appropriate safeguards. Where such decisions are made, you have the right to request human review, express your point of view, contest the decision, and obtain an explanation of the logic involved.
  4. 5.3.We use your Personal Data for the following purposes:

    (a) Services Management: To process your bookings, issue your tickets, and manage your travel arrangements. We also use it to operate our Digital Platforms and to provide other services you request. We need to do this to fulfil our contract with you, or with your specific consent if you have requested accommodations due to medical, dietary, or religious reasons.

    (b) Customer Support: To respond to your enquiries, claims, and complaints, and to provide you with customer support.

    (c) Marketing: To send you promotional materials and offers where you have consented. This includes newsletters and commercial offers.

    (d) Cookies and similar technologies: We use cookies, SDKs, and similar technologies to operate our Digital Platforms, remember your preferences, measure performance, and (where you have consented) deliver advertising. You can manage your preferences via our cookie banner at any time. We will only use non-essential cookies with your consent. For more detail, please see our Cookie Policy.

    (e) Legal Obligations: To comply with legal and regulatory requirements, including safety and security measures, reporting to government authorities as required, and the prevention and reporting of crime.

    (f) Legal Claims: In the unlikely event that we need to do so, we may use your Personal Data in connection with legal claims.

  5. 5.4.We may share your Personal Data with the following categories of recipients, and we shall ensure that appropriate safeguards are in place to protect your data in each case:

    (a) Service Providers and Authorised Distributors: Third parties who assist us in providing our services, such as payment processors, IT providers, cloud service providers, and professional advisors. We conduct appropriate due diligence on our service providers and require them to enter into written agreements that include confidentiality, security, and data protection obligations. We take steps to ensure these providers only use your Personal Data for the specific purposes we have disclosed to them and in accordance with applicable law.

    (b) Authorities: Government authorities and law enforcement agencies, where required by law or for safety and security purposes.

    (c) Our Affiliates: Other companies within the Etihad Rail group, where necessary to provide our services. We take steps to ensure that transfers within our group are made securely and are limited to what is necessary.

  6. 5.5.Where we need to share your data, we will look to share it in aggregated, anonymised, or pseudonymised form where it is feasible and lawful to do so.

  1. 6. WHAT HAPPENS IN CASE OF CROSS-BORDER DATA TRANSFER?
  2. 6.1.Your Personal Data is primarily hosted and stored within the UAE on secure servers. However, limited analytics data processed through certain third-party platforms (including, for example, Google Analytics) may be transferred and processed outside the UAE. If we transfer your Personal Data outside the UAE, we shall only do so in accordance with the PDPL. This includes transferring data to countries that the UAE Data Office recognises as providing adequate protection, or (where adequate protection is not available) by implementing appropriate safeguards or relying on a PDPL exception such as your express consent or where the transfer is necessary to perform a contract with you. Appropriate safeguards may include standard contractual clauses, intra‑group data transfer agreements, and technical measures such as encryption, pseudonymisation, and access controls. Upon request, we can provide you with further information about the specific safeguards we have put in place for cross-border transfers of your Personal Data.

  1. 7. HOW ARE WE PROTECTING AND HANDLING YOUR PERSONAL DATA?
  2. 7.1.We implement appropriate technical and organisational measures to protect your Personal Data against unauthorised access, accidental or unlawful loss, destruction, alteration, or damage. These measures include, without limitation, encryption of data at rest and in transit, role-based access controls, segregation of duties, regular staff training on data protection and information security, vendor due diligence and ongoing monitoring, and regular security assessments and penetration testing. We regularly review and update our security measures to address evolving threats and vulnerabilities.
  3. 7.2.Personal Data Breaches: If a data breach occurs that may affect the privacy, confidentiality, or security of your Personal Data, we shall notify the UAE Data Office immediately and without undue delay, and, where required, inform affected individuals as soon as practicable. We shall explain the nature of the breach, its likely consequences, the categories of Personal Data affected, and the steps we are taking to address it and mitigate any adverse effects, in accordance with the PDPL and its Executive Regulations. We maintain an incident response plan and conduct regular exercises to ensure our readiness to respond to any such incidents.
  4. 7.3.Only relevant staff members will have access to your Personal Data, strictly for the purpose it was collected. We use access controls to enforce this principle. We also maintain records of our processing activities and require our processors to sign agreements that include confidentiality, security, and data protection obligations.

  1. 8. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
  2. 8.1.We shall retain your Personal Data for as long as is reasonably necessary to fulfil the purposes for which it was collected, as explained in this Privacy Policy, and to meet any legal, regulatory, tax, accounting, auditing, or reporting requirements. We apply defined retention periods for different categories of data, which are determined based on the nature of the data, the purposes for which it is processed, and applicable legal requirements. We shall delete, anonymise, or securely destroy your Personal Data once the applicable retention period expires, unless a longer retention period is required or permitted by law. In specific circumstances, we may retain your Personal Data for longer periods so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your Personal Data or dealings with us. Details of our specific retention periods are available upon request.

  1. 9. YOUR RIGHTS UNDER THE LAW
  2. 9.1.Under the PDPL, you have the following rights regarding your Personal Data. These rights are subject to certain exceptions and limitations under applicable law, and we shall respond to any request you make in accordance with the timeframes and procedures set out in the PDPL and its Executive Regulations:

    (a) Right of Access: You can request access to your Personal Data and obtain a copy.

    (b) Right to Information: You can request information about how we process your Personal Data, including our purposes, processes, controls, and standards. This includes the right to obtain information (free of charge) about:

    • the types of Personal Data we process;
    • the purposes of processing;
    • decisions made based on automated processing (including profiling);
    • the categories of recipients with whom your Personal Data is shared (inside or outside the UAE);
    • the controls and standards we apply to storage and retention;
    • the procedures for correction, erasure, restriction, and objection;
    • >the safeguards we apply for cross-border transfers;
    • what we will do in the event of a Personal Data breach; and
    • how to file a complaint with the UAE Data Office.

    (c) Right of Rectification: You can request correction of any inaccurate or incomplete Personal Data we hold about you.

    (d) Right of Erasure: You can request the deletion of your Personal Data, subject to certain conditions.

    (e) Right of Restriction: You can request that we restrict the processing of your Personal Data in certain circumstances.

    (f) Right of Data Portability: You can request the transfer of your Personal Data to yourself or another person or organisation, where the data is processed based on your consent or is necessary for a contract, and is processed by automated means. We will provide it in a structured, commonly used, and machine-readable format.

    (g) Right to Object: You can object to our processing of your Personal Data, including for direct marketing purposes. Where applicable, you can also object to decisions based solely on automated processing that have legal effects or similarly significant impacts on you.

    (h) Right to Withdraw Consent: Where our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. We shall make it as easy to withdraw consent as it was to give it.

  1. 10. CHILDREN’S PRIVACY
  2. 10.1.Children may use our services when travelling with a parent or guardian, or where a concession applies.

  3. 10.2.We do not knowingly collect Personal Data from children without the consent of a parent or legal guardian where required by law. We take reasonable steps to verify parental consent where applicable. If we learn that we have collected Personal Data from a child without appropriate consent, we shall take prompt steps to delete it or obtain consent as required. Parents and guardians may contact us at any time to review, correct, or request deletion of their child’s Personal Data.

  1. 11. CONTACT INFORMATION
  2. 11.1.If you have any questions about this Privacy Policy, or would like to enquire about your rights, please contact our Data Protection Officer (DPO) at: dpo@etihadrail.ae.
  3. 11.2.You may also use this form to raise your requests concerning your data subject rights: https://etihadrail.ae/en/contact
  4. 11.3.We shall provide you with appropriate and accessible means to submit requests concerning your Personal Data and shall respond within the timeframes prescribed by the PDPL and its Executive Regulations. We shall not charge a fee for responding to your requests unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
  5. 11.4.If you wish to make a complaint about how we use your Personal Data, we suggest you first contact our DPO using the details above. We will investigate and attempt to resolve your complaint and will do our best to help you exercise your rights within a reasonable timeframe.
  6. 11.5.You also have the right to make a complaint to the UAE Data Office (the competent authority) and to file a grievance in accordance with their published procedures.
  1. 12. AMENDMENTS AND EFFECTIVE DATE
  2. 12.1.We may update this Privacy Policy from time to time to reflect changes in our practices, to comply with applicable laws, or to meet our evolving business requirements. Any amendments shall take effect upon publication of the updated Privacy Policy on our Digital Platforms. We shall notify you of any significant or material changes by posting the updated version on our Digital Platforms, and where appropriate, by other means such as email notification. The date on which this Privacy Policy was last updated is indicated below. We encourage you to review this page regularly to remain informed of any changes. Your continued use of our services following any amendments constitutes your acceptance of the updated Privacy Policy.
  3. 12.2.Our Privacy Policy is effective as of 30 May 2026 (the “Privacy Policy Effective Date”).
  1. 13. OUR LIST OF CONTROLLERS AND PROCESSORS
    • Etihad Rail Mobility - Sole Proprietorship L.L.C.
    • Etihad Rail Company - PJSC