Compliance & Trust Center
Fly-Wise AI Ltd — our commitments on data protection, security, and regulatory conduct.
For compliance, regulatory, or data protection enquiries, contact our Legal & Compliance team at legal@flywisely.net.
🇪🇺 Data Protection (GDPR / UK GDPR / CCPA)
Data Controller: Fly-Wise AI Ltd · Data Protection Officer: legal@flywisely.net
We process personal data in accordance with the EU General Data Protection Regulation, the UK GDPR and Data Protection Act 2018, and the California Consumer Privacy Act (CCPA/CPRA). Our full Privacy Policy describes our practices in detail.
Performance of a contract (bookings), consent (push notifications and optional analytics), legitimate interests (security, fraud prevention, service improvement), and legal obligation.
We collect only the personal data necessary for each purpose and apply purpose limitation and storage limitation throughout the data lifecycle.
Account data: for the life of the account. Booking records: 7 years for financial and legal compliance. Search logs: 90 days. Push tokens: until you unsubscribe.
Safeguarded by EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical measures, supported by transfer risk assessments.
Access, rectification, erasure, restriction, portability, and objection. Submit requests to legal@flywisely.net; we respond within the timeframes required by law (generally 30 days).
Available via Account → Delete Account or by email. Records we are legally required to retain are anonymised rather than deleted.
Essential cookies by default; analytics cookies only with explicit consent via our banner. No third-party advertising cookies.
Where required, we notify the competent supervisory authority within 72 hours and affected individuals without undue delay, per GDPR Articles 33–34.
🔐 Sensitive Data Handling
Passport numbers, nationality, government identifiers, and dates of birth are treated as sensitive personal information and processed only where strictly necessary to complete a booking or to meet airline, border-control, and statutory requirements.
TLS 1.3 for all client and server communications.
AES-256 storage encryption, with application-level AES-256-GCM field encryption for passport numbers, nationality, mobile, and email.
Least-privilege access, role separation, and audit logging. Sensitive fields are never exposed in logs or analytics.
Payment card data is tokenised by our PCI-DSS certified processor and never stored on our systems.
Sensitive identifiers are retained only as long as required to deliver the booking and meet legal obligations, then securely deleted or anonymised.
Sub-processors are bound by data processing agreements and assessed for appropriate technical and organisational measures.
💳 Payment Security (PCI DSS)
Card data is processed exclusively by our PCI-DSS certified payment provider and never touches Fly-Wise infrastructure.
All card data is captured directly by Stripe via hosted fields. Fly-Wise never stores, transmits, or processes full card numbers.
Only the last four digits and card type are retained for display; Stripe holds the tokenised card reference.
Data in transit: TLS 1.3. Data at rest: AES-256. Sensitive PII fields: application-level AES-256-GCM.
Our integration uses hosted payment fields, keeping cardholder data out of Fly-Wise systems and minimising PCI scope.
We complete the applicable PCI self-assessment and maintain the controls appropriate to our integration model.
Processed through the payment provider’s API; raw card numbers are never handled by Fly-Wise.
🛡️ Insurance Distribution
Fly-Wise acts as an insurance intermediary and distributor, not as an insurer. Travel insurance products are underwritten by regulated insurers and, where applicable, distributed through licensed partners.
Distribution is conducted in accordance with applicable insurance regulation in each jurisdiction, including the EU Insurance Distribution Directive (IDD), UK Financial Conduct Authority (FCA) requirements, US state producer licensing, IRDAI requirements in India, and ASIC requirements in Australia.
Before purchase, we clearly disclose: (1) that Fly-Wise is not the insurer; (2) the nature of any remuneration we receive; (3) the insurer\u2019s complaints procedure; and (4) applicable cancellation and cooling-off rights (for example, the 14-day cooling-off period in the EU/UK).
🔌 B2B API Terms
💳 Travel Financing
Where instalment or “buy now, pay later” financing is offered, credit is provided by regulated third-party lending partners who act as the lender of record and are responsible for all consumer-credit regulatory obligations, including affordability assessments and statutory disclosures.
Financing is offered in accordance with applicable consumer-credit law, including the EU Consumer Credit Directive, UK FCA consumer-credit requirements, and the US Truth in Lending Act (Regulation Z).
Before purchase, the full APR, total amount repayable, and payment schedule are clearly disclosed.
🏢 Corporate Travel Data Handling
Data Processing Agreement: We enter into a GDPR-compliant data processing agreement with each corporate client. Fly-Wise acts as data processor; the client is the data controller for its employees\u2019 travel data.
Employee Data: We process employee names, travel itineraries, and expense data on the client\u2019s documented instructions, under an appropriate lawful basis established by the client.
Retention: Corporate booking data is retained per the client\u2019s instructions and not beyond 7 years.
Sub-processors: Our infrastructure, AI, payment, and email sub-processors are engaged under data processing agreements; AI processing uses anonymised queries only.
Questions about our compliance posture?
Contact our Legal & Compliance team: legal@flywisely.net