1. Who we are (Data Controller)
FlightProof operates the website flightproof.co and provides onward flight reservation services.
We are the data controller for the personal data you provide to us. This means we determine the purposes and means of processing your personal data.
Contact: [email protected]
2. What personal data we collect and why
We only collect data that is strictly necessary to fulfill your booking. Here is exactly what we collect and the legal basis for each:
Booking data (contract performance — Article 6(1)(b) GDPR)
When you place an order, we collect:
- Full name — required to generate a verifiable airline reservation in your name
- Email address — required to deliver your PDF ticket and PNR code
- Travel details (departure airport, destination airport, travel date) — required to generate the reservation
Without this data we cannot perform the service contract you entered into with us.
Partner account data (contract performance — Article 6(1)(b) GDPR)
If you register as a partner (travel agency), we additionally collect:
- Company name
- Password (stored as a salted bcrypt hash — we never store plaintext passwords)
- API key (generated automatically)
- Stripe Connect account ID (if you connect for payouts)
Payment data
We do not see, process, or store your payment card details.
- Card payments: handled entirely by Stripe, Inc. (PCI-DSS Level 1 certified). Stripe provides us only with your email and payment confirmation status.
- Crypto payments: handled via the Solana blockchain — a public, decentralised ledger. Your Solana wallet address is visible on-chain but is not linked to your identity on our end beyond the one-time order.
3. How we use your data
Your data is used solely to:
- Generate and email your flight reservation PDF and verifiable PNR code
- Process your payment via Stripe or Solana
- Look up your booking when you request it (via email)
- Respond to support enquiries
- Manage partner accounts and calculate commissions (for registered agencies only)
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.
We do not use your data for automated decision-making or profiling.
4. Legal bases for processing (GDPR Article 6)
| Processing purpose | Legal basis |
|---|---|
| Booking fulfillment & ticket delivery | Article 6(1)(b) — Contract performance |
| Partner account management | Article 6(1)(b) — Contract performance |
| Stripe payment processing | Article 6(1)(b) — Contract performance |
| Email notifications about your booking | Article 6(1)(b) — Contract performance |
| Analytics (Google Analytics — with consent) | Article 6(1)(a) — Consent (opt-in) |
| Legal obligations (tax, fraud prevention) | Article 6(1)(c) — Legal obligation |
5. Cookies and tracking
FlightProof uses a minimal cookie and storage approach:
- Essential session cookie: Used for partner login sessions (express-session). This is strictly necessary and cannot be disabled.
- Browser local storage: Used solely to remember your language preference (no tracking data).
- Google Analytics (gtag.js): Uses consent mode v2. Analytics cookies are only set if you explicitly opt in via our consent banner. Default state for
analytics_storageisdenied. - Stripe cookies: Stripe may set cookies on their own checkout domain when you pay by card. Refer to Stripe's Privacy Policy.
6. Third-party processors (Data Processors)
We engage the following third-party data processors. Each has been assessed for GDPR compliance and a Data Processing Agreement (DPA) is in place or available:
- Stripe, Inc. (USA) — Payment processing. Privacy Policy | DPA
- SpaceMail (EU) — Transactional email delivery. GDPR-compliant, data stored in EU.
- Google LLC (USA) — Analytics (only with your consent). Privacy Policy | DPA
- Solana blockchain — Decentralised public network for crypto payment verification.
- Vercel Inc. (USA) — Hosting infrastructure. Privacy Policy
If the processor is based outside the EEA, we rely on Standard Contractual Clauses (SCCs) as the appropriate safeguard under Article 46 GDPR.
7. International data transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer your data, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Providers certified under the EU-US Data Privacy Framework
8. Data retention
We retain your personal data only as long as necessary:
- Booking data (name, email, travel details): Retained for 12 months after your travel date, then permanently deleted.
- Partner account data (email, password hash, company): Retained for the duration of your account plus 12 months after account closure.
- Financial records (payment amounts, dates): Retained for 7 years as required by tax and accounting legal obligations (Article 6(1)(c) GDPR).
- Log files: Server logs are rotated every 14 days. PII is minimised and not stored in logs beyond transient request processing.
You can request earlier deletion at any time (see Section 9).
9. Your rights under GDPR
As a data subject in the EEA, UK, or Switzerland, you have the following rights:
- Right of access (Article 15): Request a copy of all personal data we hold about you.
- Right to rectification (Article 16): Have inaccurate data corrected.
- Right to erasure (Article 17): Have your personal data deleted ("right to be forgotten").
- Right to restriction of processing (Article 18): Temporarily restrict how we process your data.
- Right to data portability (Article 20): Receive your data in a structured, machine-readable format (JSON or CSV).
- Right to object (Article 21): Object to processing based on legitimate interests.
- Right to withdraw consent: Withdraw any consent you have given (e.g., analytics cookies) at any time.
To exercise any of these rights:
- Email us at [email protected] with your request and the email address used at checkout, or
- Use our automated data request tool (available to logged-in partners via their dashboard)
We will respond to your request within 30 days as required by Article 12 GDPR. We may ask for additional information to verify your identity before processing your request.
You also have the right to lodge a complaint with your national data protection supervisory authority (e.g., the ICO in the UK, the CNIL in France, or the DPC in Ireland).
10. Data security (Article 32 GDPR)
We implement appropriate technical and organisational measures to ensure your data is secure:
- Encryption in transit: All website traffic is served over HTTPS/TLS 1.3.
- Encryption at rest: Database connections are encrypted. Passwords are hashed with bcrypt (salt rounds: 10).
- API keys: Partner API keys are generated using cryptographically secure random values.
- Access control: Admin endpoints require a secret admin key. Partner data is isolated per-account.
- No storage of card data: Payment card numbers are never transmitted through or stored on our servers — Stripe handles all card data directly.
- Session security: Session cookies are HTTP-only, SameSite=Lax, and set to secure mode in production.
11. Automated data deletion
Our system runs a periodic cleanup that automatically deletes booking records older than the retention period (12 months after travel date). You do not need to request this — it happens automatically.
12. Children's privacy
FlightProof does not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified via a notice on our website or by email. The "Last updated" date at the top of this page will always reflect the latest revision. We will not reduce your rights under this policy without your explicit consent.
14. Contact & Data Protection Officer
For any privacy-related queries, data subject requests, or if you wish to contact our Data Protection Officer:
Email: [email protected]
We aim to respond to all enquiries within 48 hours.
15. Supervisory authority
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. For users in the UK, this is the Information Commissioner's Office (ICO): ico.org.uk.