Privacy Policy

FlyBack (“we”, “us”, “our”) is an online service that helps passengers claim compensation under EU Regulation 261/2004 (EU261) and the UK equivalent (UK261). Our registered address and data controller details are available on request at privacy@flyback.app.

We collect only what is necessary to deliver the service:

• Account data: Email address, name, and authentication provider (Google OAuth or magic link).
• Flight data: Flight number, date, route, delay duration, and disruption type as entered by you.
• Personal details for claim letters: Full name, address, and booking reference — used solely to populate the claim letter you generate.
• Payment data: Processed by Stripe. We never store card numbers; we receive only a Stripe customer ID and subscription status.
• Usage data: Standard server logs (IP address, browser, pages visited) for security and performance. Retained for 90 days.

• To authenticate your account and maintain your session.
• To generate EU261/UK261 claim letters on your behalf.
• To store and display your claim history in your dashboard.
• To process subscription payments via Stripe.
• To send transactional emails (magic links, claim status updates). We do not send marketing email without explicit consent.

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the service you have subscribed to.
• Legitimate interests (Art. 6(1)(f) GDPR): Security monitoring and fraud prevention.
• Legal obligation (Art. 6(1)(c) GDPR): Retaining records as required by applicable law.

We do not sell your data. We share it only with:

• Supabase — database and authentication infrastructure (EU-hosted).
• Stripe — payment processing.
• Vercel — hosting and CDN.
• Anthropic — AI model used to generate claim letter text (no personal data is retained by Anthropic after generation).

All sub-processors are contractually bound to process data only on our instructions and in compliance with GDPR.

We retain your account and claim data for as long as your account is active. You may delete your account at any time from account settings, which permanently removes all associated data within 30 days. Anonymised usage analytics may be retained indefinitely.

Under GDPR you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request erasure (“right to be forgotten”)
• Restrict or object to processing
• Receive your data in a portable format
• Lodge a complaint with your national data protection authority

To exercise any of these rights, email privacy@flyback.app.

We use strictly necessary cookies only: a session cookie to keep you logged in, and a Stripe cookie for payment processing. We do not use advertising or tracking cookies.

We may update this policy to reflect changes in our practices or applicable law. When we do, we will update the “Last updated” date above and, for material changes, notify you by email.

Questions about this policy? Email privacy@flyback.app.