Privacy Policy

1. Who We Are

Fly-Wise AI Ltd ("Fly-Wise", "we", "our", "us") is the data controller for the personal data processed through the travel platform at flywisely.net. We are committed to protecting your privacy and processing personal data lawfully, fairly, and transparently in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws. This Privacy Policy explains what personal data we collect, the purposes and legal bases for processing, how it is safeguarded, the recipients with whom it is shared, and the rights available to you. Our Data Protection Officer can be reached at legal@flywisely.net.

2. Data We Collect

• Account Data: Name, email address, phone number, password (hashed — never stored in plain text), date of birth, gender, address.
• Booking Data: Flight bookings, passenger details, passport numbers (for bookings), seat preferences, loyalty program numbers.
• Special Category & Sensitive Data: Passport and government identifier data, nationality, and date of birth constitute sensitive personal information. We process it only where strictly necessary to fulfil a booking or to meet airline, border-control, and legal requirements, under heightened safeguards (application-level AES-256-GCM encryption, strict access controls, and minimised retention). We do not request or knowingly process health, biometric, religious, or other special-category data except where you voluntarily provide it for a specific accessibility or assistance request.
• Additional Travelers: Details of travel companions you add (name, DOB, passport info) — stored securely and used only for bookings you initiate.
• Payment Data: We do not store full card numbers. Payments are processed by Stripe (PCI-DSS compliant). We store only last 4 digits and card type for display purposes.
• Usage Data: Search queries, flight views, features used, pages visited, timestamps, and interaction logs for AI improvement and analytics.
• Device & Technical Data: IP address, browser type, operating system, device identifiers, referral URL. Used for security, rate limiting, and analytics.
• Communications: Messages sent via in-app chat, support tickets, and complaint threads.
• Push Notification Tokens: Browser push subscription details (endpoint, p256dh, auth keys) if you opt in to push notifications.

3. How We Use Your Data

• Service Delivery: Processing bookings, sending booking confirmations, managing price alerts, and operating your account.
• AI Features: Powering search, price predictions, visa recommendations, and travel risk analysis using your search history and preferences.
• Communications: Transactional emails (booking confirmation, alerts, support replies). We do not send unsolicited marketing without consent.
• Push Notifications: Price alert triggers and booking updates (only if you opt in).
• Security: Fraud detection, rate limiting, suspicious login detection, and platform integrity.
• Analytics & Improvement: Aggregate usage analytics to improve features. Individual search queries are analysed to improve AI accuracy.
• Legal Compliance: Meeting our obligations under applicable law, responding to lawful government requests.

4. Legal Basis for Processing

We process your data on the following legal bases: (a) Contract — necessary to fulfil your booking; (b) Consent — push notifications and optional analytics; (c) Legitimate interest — security, fraud prevention, platform improvement; (d) Legal obligation — compliance with applicable laws. You may withdraw consent at any time by contacting us.

5. Data Sharing

We do not sell your personal data. We share data only with: (1) Airlines and GDS providers (Duffel API) to complete bookings — they receive passenger name, DOB, passport details as required for ticketing; (2) Resend — for transactional emails; (3) Supabase — our secure cloud database provider; (4) Anthropic — anonymous search queries are processed by our AI. No personally identifying information is sent; (5) Sentry — anonymised error reports for debugging; (6) Stripe — payment processing (PCI-DSS compliant); (7) Law enforcement when required by law. All third parties are bound by data processing agreements.

6. Data Retention

We retain your account data for as long as your account is active. Booking records are retained for 7 years for legal and financial compliance. Search logs are retained for 90 days. Push notification tokens are deleted when you unsubscribe or your subscription expires. You may request deletion of your account and associated data at any time.

7. Security

We maintain a defence-in-depth information security program aligned with industry best practice (including controls consistent with ISO/IEC 27001 and the NIST Cybersecurity Framework). Technical and organisational measures include: TLS 1.3 encryption for all data in transit; AES-256 encryption at rest; application-level AES-256-GCM field encryption for sensitive identifiers (passport numbers, nationality, mobile, email); salted password hashing; principle-of-least-privilege access controls and audit logging; network rate limiting and brute-force protection; input validation and parameterised queries to prevent injection and cross-site scripting; secrets management and key rotation; and periodic security testing and review. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Articles 33 and 34. No system can be guaranteed perfectly secure; we strongly encourage the use of a strong, unique password and multi-factor authentication where available.

8. Cookies

We use essential cookies for authentication (session tokens via Supabase Auth) and preference storage. We use no third-party advertising cookies. Analytics cookies (if any) are anonymous and aggregate. You can disable cookies in your browser settings; this may affect Service functionality.

9. Your Rights

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct inaccurate data via your profile settings or by emailing us.
• Deletion: Request deletion of your account and associated data ("right to be forgotten"). Booking records required for legal compliance may be retained in anonymised form.
• Portability: Receive your data in a machine-readable format (JSON/CSV).
• Objection: Object to processing based on legitimate interest.
• Withdraw Consent: Withdraw consent for push notifications or analytics at any time.

10. Children's Privacy

Fly-Wise is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us at legal@flywisely.net and we will promptly delete the data.

11. International Transfers

Your personal data may be processed in jurisdictions outside your country of residence, including the United States. Where personal data is transferred internationally, we implement appropriate safeguards as required by applicable law — including European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical measures — and we conduct transfer risk assessments where required. A copy of the relevant safeguards may be requested at legal@flywisely.net.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. The "last updated" date at the top reflects the most recent revision.

13. Contact & Complaints

For any privacy-related questions, to exercise your data subject rights, or to raise a complaint, contact our Data Protection Officer at legal@flywisely.net. We will respond to verified requests within the timeframes required by applicable law (generally within 30 days). You also have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction (for example, the UK Information Commissioner's Office, the relevant EU supervisory authority, or the California Privacy Protection Agency).