GDPR Notice
Last updated: March 2026
Introduction
This GDPR Notice explains how FlyStandby.app ("FlyStandby," "we," "us," or "our") collects, processes, stores, and protects your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). FlyStandby is an airline standby travel platform designed exclusively for airline employees and eligible companions, enabling users to find standby flights with seat availability, manage load requests, and plan non-revenue travel.
This notice should be read alongside our Privacy Policy, Terms of Service, and Cookie Policy.
Data Controller
FlyStandby is the data controller responsible for your personal data. If you have any questions about this GDPR Notice or wish to exercise your data protection rights, please contact our Data Protection contact:
Data Protection Contact
FlyStandby
Email: hello@flystandby.app
Categories of Personal Data We Collect
We collect and process the following categories of personal data:
Identity and Account Data
- Full name
- Email address
- Airline affiliation (employer airline and additional airlines)
- Employee ID (for verification purposes)
- Referral code and referral relationships
- Account preferences (currency, timezone, time format, notification settings)
Financial and Transaction Data
- SkyCredits balance, transactions, and tier information
- Payment records processed through Stripe (we do not store full card numbers)
- Purchase history for SkyCredits packages
- Referral payout records
Travel and Activity Data
- Flight search queries and cached search results
- Load requests submitted and responses received
- Followed/bookmarked flights
- Trip plans (multi-leg itineraries, canvas positions, flight options)
- Traveler agreements (per-airline cabin class eligibility)
- Flight comparison data
Verification Data
- ID photo uploads (airline identification badge) for employee verification
- Verification status and review history
- Airline name and employee ID associated with verification requests
Technical and Device Data
- IP address (collected on each connection for fraud prevention)
- Persistent device identifier cookie for security and duplicate account detection
- Connection metadata (browser type, language, approximate geolocation derived from IP)
- Push notification subscriptions (endpoint, keys) via Web Push API
- Cookies and local storage data (authentication tokens, preferences)
- Browser and device information transmitted via standard HTTP headers
Legal Basis for Processing
Under Article 6 of the GDPR, we rely on the following legal bases to process your personal data:
| Legal Basis | Processing Activities |
|---|---|
| Performance of Contract (Article 6(1)(b)) |
|
| Consent (Article 6(1)(a)) |
|
| Legitimate Interest (Article 6(1)(f)) |
|
| Legal Obligation (Article 6(1)(c)) |
|
Third-Party Data Processors
We share personal data with the following third-party processors, each of which is bound by data processing agreements and complies with GDPR requirements:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Database hosting, application server, file storage | All account and platform data, authentication tokens, uploaded files | Germany |
| Stripe Inc. | Payment processing | Email, payment card details, transaction amounts | United States |
| Duffel Technology Ltd. | Flight search and seat availability data | Flight search parameters (routes, dates); no personal identity data | United Kingdom |
| Resend Inc. | Transactional and notification emails | Email address, name, notification content | United States |
| Cloudflare Inc. | Content delivery network and DDoS protection | IP addresses, request metadata | United States |
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
International Data Transfers
Some of our third-party processors are located outside the European Economic Area (EEA), primarily in the United States and the United Kingdom. When transferring personal data outside the EEA, we ensure appropriate safeguards are in place, including:
- EU-US Data Privacy Framework: Transfers to US-based processors that are certified under the EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on EU-approved Standard Contractual Clauses adopted by the European Commission
- UK Adequacy Decision: The European Commission has issued an adequacy decision for the United Kingdom, permitting data transfers without additional safeguards
You may request a copy of the specific safeguards applied to your data transfers by contacting us at hello@flystandby.app.
Data Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Specific retention periods are as follows:
| Data Category | Retention Period |
|---|---|
| Account data (name, email, preferences) | Duration of your membership, plus up to 30 days after account deletion |
| Financial transaction records | 7 years after the transaction (legal/tax obligation) |
| SkyCredits balance and transaction history | Duration of your membership, plus up to 30 days after account deletion |
| Flight searches and cached results | Until flight departure time, then automatically purged |
| Load requests and responses | Automatically expire at departure + 1 hour; records retained for 12 months for quality assurance |
| Trip plans | Duration of your membership, deleted upon account deletion |
| Verification ID photos | Deleted promptly after verification review is completed |
| Push notification subscriptions | Until you unsubscribe or delete your account |
| Connection records (IP addresses, device identifiers, metadata) | Duration of your membership (used for fraud prevention and account security) |
| Banned email records | Indefinitely (to prevent re-registration of abusive accounts) |
Your Rights Under the GDPR
Under the GDPR, you have the following rights with respect to your personal data. You may exercise any of these rights at any time by contacting us at hello@flystandby.app.
Right of Access (Article 15)
You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request a copy of all personal data we hold about you, free of charge. We will respond within 30 days of receiving your request.
Right to Rectification (Article 16)
You have the right to request the correction of inaccurate personal data and the completion of incomplete data. You may update most of your profile information directly through your account settings at any time.
Right to Erasure (Article 17)
You have the right to request the deletion of your personal data. You can delete your account directly from your profile settings, which will remove your data within 30 days. Certain data may be retained where we have a legal obligation (e.g., financial records for tax purposes).
Right to Restriction of Processing (Article 18)
You have the right to request the restriction of processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of our legitimate grounds.
Right to Data Portability (Article 20)
You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance.
Right to Object (Article 21)
You have the right to object to the processing of your personal data where we rely on legitimate interests (Article 6(1)(f)) as the legal basis. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Withdraw Consent (Article 7(3))
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can manage your notification preferences, cookie settings, and push notification subscriptions directly in your account settings.
Right Not to Be Subject to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. FlyStandby does not engage in automated decision-making that produces legal effects on users. Our dynamic pricing system for SkyCredits rewards is based on algorithmic calculations but does not constitute automated individual decision-making under Article 22.
Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:
- Encryption in transit: All data is transmitted over HTTPS/TLS encrypted connections
- Encryption at rest: Database data is encrypted at rest via our hosting provider (Hetzner)
- Access control: Database access is enforced through application-level authorization, ensuring users can only access their own data
- Authentication: Secure authentication via Better Auth with session token management
- Access control: Internal access to user data is restricted to authorized personnel on a need-to-know basis
- Payment security: Payment card data is handled entirely by Stripe (PCI DSS Level 1 certified) and never stored on our servers
- Content Security Policy: CSP headers are enforced to mitigate cross-site scripting and data injection attacks
Cookies and Local Storage
We use strictly necessary cookies for authentication, session management, and security (including a persistent device identifier cookie used for fraud prevention and duplicate account detection). Analytical and tracking cookies are only placed with your explicit consent, which you can manage via our cookie consent banner. For full details, please refer to our Cookie Policy.
We also use browser local storage to persist certain non-sensitive user preferences, such as flight comparison selections (with 24-hour expiry) and authentication session tokens.
Children's Data
FlyStandby is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us immediately at hello@flystandby.app.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.
Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).
As FlyStandby is operated from Belgium, the lead supervisory authority is:
Belgian Data Protection Authority
(Autorité de protection des données / Gegevensbeschermingsautoriteit)
Rue de la Presse 35 / Drukpersstraat 35
1000 Brussels, Belgium
Website: www.dataprotectionauthority.be
Email: contact@apd-gba.be
We encourage you to contact us first at hello@flystandby.app so that we can try to resolve your concern directly.
Changes to This GDPR Notice
We may update this GDPR Notice from time to time to reflect changes in our data processing practices or applicable law. When we make material changes, we will publish a prominent notification on our website and update the "Last updated" date above. We may also notify you via email. We encourage you to review this notice periodically.
Contact Us
For any questions, concerns, or requests related to this GDPR Notice or your personal data, please contact us at hello@flystandby.app.