Privacy Policy

Flaito ("we", "our", or "us") values your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Please read this Privacy Policy carefully. By using Flaito, you acknowledge that you have read, understood, and agree to be bound by all its terms.

Flaito is the data controller responsible for your personal data. We are committed to ensuring your privacy is protected in accordance with the General Data Protection Regulation (GDPR) and other applicable European data protection laws.

We collect the following categories of personal data:

• •Authentication data: Email address, name, authentication tokens
• •Profile data: Gender, city, ride preference, age confirmation status
• •Trip data: Departure/arrival airport, flight date, flight number (optional)
• •Communication data: Messages exchanged within the platform
• •Location data: None. We never store, collect, or process your location coordinates. Location sharing (when a trip is active) is streamed ephemerally via third-party native apps (Google Maps, Apple Find My, WhatsApp) only. You control this feature entirely.
• •Usage data: Interactions with the platform (e.g., match requests, ratings)
• •Technical data: IP address, device information, browser type

We process your personal data on the following legal bases:

• •Contract performance: Your data is necessary to provide ride-matching services (GDPR Article 6(1)(b))
• •Legal obligation: We process data to comply with regulatory requirements (Article 6(1)(c))
• •Legitimate interests: We process data to improve our service, prevent abuse, and ensure safety (Article 6(1)(f))
• •Consent: Where required, we process specific data only with your explicit consent

We process your personal data for the following purposes:

• •Providing the ride-matching service: Matching you with other users based on airport, flight time, and preferences
• •Account management: Creating and maintaining your account, authentication, and profile management
• •Communication: Sending transactional emails (match notifications, messages, account updates)
• •Safety and security: Preventing fraud, abuse, harassment, and enforcing community standards
• •Analytics and improvements: Understanding platform usage patterns (anonymised data only)
• •Legal compliance: Meeting regulatory requirements and establishing, exercising, or defending legal claims

We retain your personal data according to the following schedule:

• •Account data (name, email, profile): Retained while your account is active. After deletion, hard-deleted after 30 days.
• •Messages: Retained for 90 days from match acceptance to allow dispute resolution. After 90 days, permanently deleted.
• •Trip data: Retained while your account is active. After deletion, anonymised (location, flight number, city removed) and retained indefinitely for aggregated analytics.
• •Anonymised analytics: Retained indefinitely to understand platform trends and safety metrics. This data cannot be traced back to you.
• •Location data: Never stored. Streamed ephemerally only (via native apps) — no copy kept.

To protect your privacy and safety:

• •Do not share sensitive personal information in chat (e.g., phone numbers, home addresses, passport details, payment information). Once shared, we cannot control how others use it.
• •Use strong, unique passwords for your account.
• •Report suspicious behaviour or privacy concerns immediately through the app.
• •Review messages before sending — Flaito cannot retrieve or modify messages after sending.

Under the GDPR, you have the right to:

• •Access: Request a copy of the personal data we hold about you
• •Rectification: Correct inaccurate or incomplete personal data
• •Erasure ("right to be forgotten"): Request deletion of your data, subject to legal obligations
• •Restriction: Limit how we process your data in certain circumstances
• •Portability: Receive your data in a portable, machine-readable format
• •Object: Oppose certain types of processing
• •Withdraw consent: If we rely on consent, you can withdraw it at any time

To exercise these rights, contact hello@flaito.io. We will respond within 30 days.

We share your personal data only in these circumstances:

• •Service providers: Cloud hosting (Supabase), email delivery (Resend), error monitoring (Sentry), analytics (Plausible)
• •Legal requirements: If required by law enforcement or court order
• •Account deletion: When you delete your account, we may retain anonymised data for analytics

We do not sell or rent your personal data to third parties.

We implement technical and organisational measures to protect your data against unauthorised access, alteration, or destruction:

• •Encryption: Data in transit is encrypted with TLS/HTTPS
• •Access control: Only authorised staff access personal data
• •Regular audits: We monitor for security vulnerabilities
• •Incident response: We investigate and report data breaches as required by law

Flaito is for users aged 18 and above. We do not knowingly collect personal data from children under 18. If we learn that we have inadvertently collected such data, we will delete it immediately.

Your data may be processed by our service providers in countries outside the EU/EEA. We ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place for all international transfers.

If you have questions about this Privacy Policy or wish to exercise your rights, contact:

Flaito Data Protection Team Email: hello@flaito.io We aim to respond to all requests within 30 days.

You have the right to lodge a complaint with your national data protection authority if you believe we have violated your rights. Each EU member state has a Data Protection Authority.