Privacy Policy

Last updated: February 2026

1. Data Controller

FlightOwed ("we", "us", "our") is the data controller for the personal data collected through this website.

Contact: [email protected]
Address: Lisbon, Portugal

2. What Data We Collect

CategoryDataPurpose
ContactEmail addressCommunicate about your claim; partner referral
FlightFlight number, date, disruption typeEligibility assessment
TechnicalIP address, browser/device info, pages visitedSecurity, fraud prevention, analytics (with consent)
UsageInteraction data (clicks, form submissions)Service improvement (with consent)

We do not collect special category data (health, biometrics, political opinions, etc.).

3. Legal Basis for Processing (GDPR Art. 6)

  • Consent (Art. 6(1)(a)): Analytics cookies and marketing communications — only with your explicit opt-in via our cookie banner.
  • Contract / pre-contractual steps (Art. 6(1)(b)): Processing your flight data to perform the eligibility check you requested.
  • Legitimate interest (Art. 6(1)(f)): Fraud prevention, security logging, service improvement. We balance our interests against your rights and do not use this basis for marketing.

4. How We Use Your Data

  • Assess your eligibility for compensation under EU Regulation EC 261/2004.
  • Refer your case to a vetted claims enforcement partner (only with your consent at the time of submission).
  • Communicate with you about your submission status.
  • Prevent fraud and abuse of our platform.
  • Improve our website and services (anonymised analytics, only with consent).

5. Data Sharing & Recipients

We share your personal data only as necessary and only with the following categories of recipients:

  • Claims enforcement partners: Licensed firms who may pursue your claim. Shared only when you submit a claim through our platform.
  • Infrastructure providers (data processors):
    • Convex (database): Stores your submission data. EU-hosted (Ireland). Bound by a Data Processing Agreement.
    • Vercel (hosting): Hosts our website. Edge functions may process requests globally; core data remains in EU.

We never sell your personal data. We do not share data with advertisers or data brokers.

6. International Transfers

Your data is primarily stored in the EU (Ireland). Where data is processed outside the EEA (e.g., Vercel edge infrastructure), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

  • Eligibility check data (no claim submitted): Deleted after 12 months.
  • Claim submissions referred to partners: Retained for 3 years (matching the limitation period for related claims under most EU jurisdictions), then deleted.
  • Analytics data: Anonymised and aggregated; not linked to you personally.

You may request earlier deletion at any time (see Section 8).

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Access (Art. 15): Request a copy of the data we hold about you.
  • Rectification (Art. 16): Correct inaccurate data.
  • Erasure (Art. 17): Request deletion of your data ("right to be forgotten").
  • Restriction (Art. 18): Restrict how we process your data.
  • Portability (Art. 20): Receive your data in a machine-readable format.
  • Objection (Art. 21): Object to processing based on legitimate interest.
  • Withdraw consent: At any time, without affecting the lawfulness of prior processing.

To exercise any right, email [email protected]. We will respond within 30 days.

9. Cookies & Analytics

Essential Cookies

We use strictly necessary cookies for basic website functionality (e.g., cookie consent preference). These do not require consent.

Analytics Cookies (optional)

With your consent, we use Vercel Analytics to understand how visitors use our site. This collects anonymised, aggregated data (page views, device type, country). No advertising cookies or tracking pixels are used.

You can change your cookie preferences at any time by clearing your browser's local storage or using the cookie banner that appears on your first visit.

10. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS on all connections)
  • Encrypted storage (Convex database encryption at rest)
  • Access controls and principle of least privilege
  • Regular security reviews

11. Children

Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

12. Supervisory Authority

You have the right to lodge a complaint with a data protection authority. The lead authority for FlightOwed is the Portuguese National Data Protection Commission (CNPD):

www.cnpd.pt

You may also complain to the authority in your country of residence.

13. Changes to This Policy

We may update this privacy policy from time to time. The "last updated" date at the top reflects the most recent revision. Material changes will be announced on this page.

14. Contact

For privacy-related inquiries:
FlightOwed
Lisbon, Portugal
Email: [email protected]