PRIVACY POLICY — GDPR
flyrecover.com — FlyRecover OÜ
Last update: [date]
1. Data controller
FLYRECOVER OÜ — Estonian private limited company, registry no. [●], registered office [●], Tallinn, Estonia.
Privacy email: privacy@flyrecover.com.
EU representative under Art. 27 GDPR: not required (main establishment in EU).
2. Commitment
The Company processes personal data in accordance with Regulation (EU) 2016/679 ("GDPR"), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus) and equivalent rules in jurisdictions where Clients reside.
3. Categories of data processed
| Category | Examples | Main purpose |
|---|---|---|
| Identity | name, DoB, ID document | Identification, anti-fraud, KYC |
| Contact | email, phone, WhatsApp, postal address | Communication, claim follow-up, payment |
| Flight data | flight number, date, route, PNR, boarding pass | Building the claim, eligibility check |
| Financial data | IBAN, BIC, payment evidence | Remittance of recovered sums |
| Connection data | IP address, browser type, date/time | Security, audit, anti-fraud |
| Support exchanges | emails, chats, WhatsApp, call notes | Customer service, quality, evidence |
4. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Conclusion and performance of the Agreement | Performance of contract (Art. 6.1.b) |
| Claim management | Performance of contract (Art. 6.1.b) |
| Representation before airlines and authorities | Performance + legitimate interest (Art. 6.1.b/f) |
| Anti-fraud / KYC / AML | Legal obligation (Art. 6.1.c) + legitimate interest |
| Bookkeeping and tax obligations | Legal obligation (Art. 6.1.c) |
| Marketing communications (newsletter) | Consent (Art. 6.1.a), revocable any time |
| Site analytics | Legitimate interest (Art. 6.1.f) |
| Non-essential cookies | Consent (Art. 6.1.a) |
5. Recipients
Strictly on a need-to-know basis: - internal staff and contractors; - airlines concerned; - National Enforcement Bodies (DGAC, CAA, LBA, etc.); - partner lawyers and bailiffs; - technical providers (hosting, CRM, e-signature, payments, WhatsApp BSP, support); - public authorities upon legal request.
Data is never sold for third-party marketing.
6. Main sub-processors
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
[Hosting provider] |
hosting | EU | Art. 28 GDPR DPA |
[CRM] |
client relationship | EU/USA | DPA + SCCs |
[E-signature] |
contract signature | EU | DPA + eIDAS |
[Payments — Stripe / Wise] |
collection and remittance | EU | DPA + PSD2 |
[WhatsApp BSP] |
WhatsApp messaging | EU/USA | DPA + SCCs + opt-in |
[Flight data API] |
flight data | EU | commercial contract |
7. Transfers outside EU
Where transferred to a country without an adequacy decision, the Company implements: - EU Commission Standard Contractual Clauses (SCCs); and/or - supplementary measures (encryption, pseudonymization, access restrictions).
8. Retention
| Category | Duration |
|---|---|
| Active claim | duration + 3 years |
| Accounting documents | 7 years (Estonian law) |
| KYC / AML data | 5 years after closure |
| Cookies | per Cookies Policy (max 13 months) |
| Connection logs | 12 months |
| Newsletter | until unsubscribe |
9. Data subject rights
- access (Art. 15);
- rectification (Art. 16);
- erasure (Art. 17), subject to legal retention;
- restriction (Art. 18);
- data portability (Art. 20);
- objection (Art. 21);
- withdraw consent any time;
- lodge a complaint with a supervisory authority (Estonia: Andmekaitse Inspektsioon —
https://www.aki.ee); - post-mortem instructions on personal data.
To exercise: privacy@flyrecover.com. Reply within 30 days, extendable by 60 days for complex requests.
10. Security
- TLS 1.2+ encryption in transit;
- encryption at rest of databases containing personal data;
- access controls and logging;
- password policy and strong authentication for admins;
- periodic staff training;
- breach notification procedure compliant with Art. 33 GDPR (72h notification to Andmekaitse Inspektsioon).
11. Cookies
See the Cookies Policy: https://flyrecover.com/cookies.
12. Minors
The Services are not intended for persons under 16 acting on their own behalf. Where a minor is concerned, the parent or legal representative must sign.
13. Amendments
The Company may amend this Policy. The version published on the Site applies. Material changes are notified by email to active Clients.
14. Contact
- Email:
privacy@flyrecover.com - Postal:
[●], Tallinn, Estonia