Privacy Policy

This policy applies to personal data we process in connection with our website, business communications, and the B2B aviation desk services described in our Terms & Conditions. It does not cover third-party websites, airlines, or other service providers that may be linked from our site or involved in fulfilling a booking — those operate under their own privacy notices.

The controller responsible for personal data processed under this policy is Flipo Tickets. For any questions or to exercise your rights, contact us at:

• Email: hello@flipotickets.com
• Registered office: [Company legal name, registration number, full address — to be completed]
• Data protection contact: [DPO or privacy lead contact — to be completed]

Personal data

Any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).

Processing

Any operation performed on personal data — collection, storage, use, disclosure, deletion, etc.

Data subject

The individual to whom the personal data relates (a website visitor, business contact, or traveller).

Controller

The party that decides why and how personal data is processed.

Processor

A party that processes personal data on behalf of a controller.

GDS

Global distribution system (e.g. Amadeus, Sabre, Travelport) used to source and issue airline inventory.

Depending on how you interact with us, we may process:

• Inquiry data — name, business email, phone number, company name, role, and the content of the message you send us.
• Traveller data — full name as it appears on travel documents, date of birth, gender (where required by the carrier), nationality, passport or ID details, visa details, frequent-flyer numbers, contact details, and where you have consented, dietary or medical requirements relevant to the trip.
• Booking and transaction data — record locator (PNR), itineraries, ticket numbers, fare components, ancillary services, invoices, and payment references (we do not store full card numbers).
• Communication data — emails, chat messages, and metadata about calls (date, time, duration) related to your inquiries and bookings.
• Technical data — IP address, browser type and version, device type, language, referring URL, and basic analytics about how the website is used.

We collect personal data:

• directly from you when you contact us or use our website;
• from the Client company that engages us, when it shares traveller details to make a booking;
• from carriers, GDS, and other travel-industry providers in the course of issuing and servicing a booking;
• from payment processors and banks for invoicing and reconciliation;
• from cookies and similar technologies on our website (see section 14).

We only process personal data when we have a valid legal basis under GDPR Art. 6:

• Performance of a contract (Art. 6(1)(b)) — to deliver the Services, including issuing tickets, handling changes and refunds, and communicating about bookings.
• Compliance with legal obligations (Art. 6(1)(c)) — accounting, tax, anti-fraud, and record- keeping requirements imposed by EU and national law.
• Legitimate interests (Art. 6(1)(f)) — securing our systems, preventing misuse, improving the Services, and limited B2B marketing to existing clients about closely related offerings. We always balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)) — marketing to new business contacts, non-essential cookies, and any processing of special-category data described in section 7. You can withdraw consent at any time.

Some travel arrangements (such as medical assistance, mobility support, or dietary restrictions tied to a health condition) require us to process special-category data within the meaning of GDPR Art. 9. We do so only on the basis of your explicit consent (Art. 9(2)(a)) and only to the minimum extent necessary to deliver the trip you requested. You can refuse to provide this information, in which case we may not be able to arrange the relevant service.

We share personal data only where it is necessary to deliver the Services or to comply with the law. Recipients include:

• airlines and other carriers performing the travel;
• global distribution systems (Amadeus, Sabre, Travelport) and other ticketing infrastructure;
• payment service providers, banks, and card networks;
• accounting, legal, IT, and other professional service providers acting under confidentiality;
• regulators, tax authorities, law enforcement, and courts where required by law;
• fraud-prevention and information-security providers.

We do not sell personal data and we do not share it with third parties for their own marketing purposes.

Air travel is global. To issue and service a booking, personal data may be transferred to countries outside the European Economic Area (EEA), including to airlines, GDS, and ground providers in the country of travel.

Where we transfer personal data outside the EEA, we rely on a valid transfer mechanism under GDPR Chapter V — typically an adequacy decision of the European Commission or the Standard Contractual Clauses (Decision (EU) 2021/914). Transfers to carriers as part of an international booking also rely on the derogation in GDPR Art. 49(1)(b) (performance of a contract with the data subject).

We keep personal data only as long as needed for the purposes for which it was collected, plus any period required by law. Typical retention periods are:

• Booking and invoice records — 5 to 10 years, in line with tax, accounting, and aviation record-keeping rules.
• Inquiry data — up to 24 months after the last contact, unless a business relationship begins.
• Website logs — up to 12 months for security and analytics.
• Marketing data — until you unsubscribe or withdraw consent.

When retention periods expire we delete or anonymise the data, unless we are required to keep it longer in connection with a legal claim or investigation.

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. These include encryption in transit, access controls, staff training, role-based permissions, and vendor due diligence. No system is perfectly secure, but we work continuously to reduce risk.

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected individuals, in line with GDPR Art. 33–34.

Subject to the conditions in GDPR Art. 15–22, you have the right to:

• access the personal data we hold about you;
• have inaccurate or incomplete data corrected;
• have your data erased ("right to be forgotten");
• restrict processing in certain circumstances;
• receive your data in a portable format;
• object to processing based on legitimate interests, including direct marketing;
• withdraw consent at any time, without affecting prior lawful processing;
• not be subject to decisions based solely on automated processing that significantly affect you (see section 16).

To exercise your rights, email hello@flipotickets.com. We respond within one month, with the possibility of extending the deadline by up to two further months for complex requests, as permitted by GDPR Art. 12(3).

If you believe our processing infringes data-protection law, you have the right to lodge a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work, or alleged infringement. A list of national authorities is maintained by the European Data Protection Board (edpb.europa.eu).

Our website uses cookies and similar technologies for:

• Strictly necessary functions — required for the site to work (set without consent).
• Analytics — to understand traffic and improve content (set with consent where required).
• Marketing — only with your consent and where applicable.

You can manage cookies through your browser settings or any consent banner we display. Disabling cookies may affect the functionality of the site.

The Services are not directed to individuals under the age of 16. We process data about minors only when an adult traveller or Client provides it as part of a booking and is responsible for ensuring such processing is lawful.

We do not make decisions about you that are based solely on automated processing and that produce legal effects or similarly significantly affect you within the meaning of GDPR Art. 22. Some routine tools (e.g. fare search, fraud screening by payment providers) are automated, but they always involve human judgement before any meaningful decision is made.

We may update this policy from time to time to reflect changes in our Services, technology, or applicable law. The updated version will be posted on this page with a new "Last updated" date. Material changes will be communicated in advance where reasonably practical.

For any privacy-related question, request, or complaint, contact us at hello@flipotickets.com.