Privacy Policy
Last updated: June 10, 2026
This Privacy Policy explains what personal data FlyRada collects, why we collect it, and how you can exercise your rights. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Estonian data protection law. The data controller is FlyRada OÜ, registry code [14XXXXXX], [street address], Tallinn, Estonia.
1. Data we collect
- Account data: name, email address, phone number, password hash.
- Passenger data: full name, date of birth, gender, nationality, passport number and expiry date.
- Booking data: itineraries, fare class, baggage, seats, payment status, booking references.
- Payment data: processed by Stripe; we never store full card numbers.
- Technical data: IP address, device and browser information, usage analytics.
2. Why we process it
We process your data to provide the booking service: searching flights, issuing tickets, sending confirmations by email and SMS, processing payments and refunds, and providing customer support.
With your consent, we also send price alerts and marketing emails — you can unsubscribe at any time with one click.
Legal bases under the GDPR: performance of a contract (Art. 6(1)(b)) for bookings and support; compliance with a legal obligation (Art. 6(1)(c)) for tax and aviation records; your consent (Art. 6(1)(a)) for marketing; and our legitimate interests (Art. 6(1)(f)) for fraud prevention and service analytics.
3. How passport data is protected
Passenger passport details are encrypted with AES-256 before being stored. Access is limited to systems that transmit the data to airlines for ticket issuance. Encryption keys are stored separately from the data.
4. Sharing with third parties
We share data only when necessary to deliver the service:
- Airlines and ticketing providers (Duffel) — to issue and manage your tickets.
- Stripe — to process payments and prevent fraud.
- Twilio and Resend — to deliver SMS codes and transactional emails.
- Analytics and error-monitoring providers — in aggregated or pseudonymised form.
5. Data retention
Booking records are kept for the period required by tax and aviation regulations (typically 7 years). Passport data of saved travelers is deleted immediately when you remove a traveler or close your account. Marketing preferences are kept until you withdraw consent.
6. Your rights
- Access a copy of your personal data.
- Correct inaccurate data.
- Delete your data (“right to be forgotten”), subject to legal retention duties.
- Export your data in a machine-readable format.
- Object to or restrict certain processing.
- Lodge a complaint with a supervisory authority — in Estonia, the Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee), or the authority of your country of residence.
7. International transfers
Where data is transferred outside the European Economic Area, we rely on adequacy decisions or EU Standard Contractual Clauses with our processors.
8. Contact our privacy team
For privacy requests, email privacy@flyrada.app. We respond to verified requests within 30 days.