Legal & Policies

1. Information We Collect

Account information: name, email address, and password when you register.

Flight booking information: passenger names, dates of birth, passport/ID numbers, contact phone number, and billing address collected at checkout.

Shop order information: name, email address, shipping address, and phone number collected when you purchase merchandise from our shop.

Payment information: credit/debit card details. Card numbers are processed directly by our payment processors (Duffel Payments for flights, Stripe for shop purchases) and are never stored on our servers.

Usage data: IP address, browser type, pages visited, search queries, and device information collected automatically when you use our website.

Location data: approximate location inferred from your IP address to personalise flight search results (e.g., nearest airport) and determine your region for cookie consent preferences. We do not access precise GPS location.

Error and diagnostic data: when errors occur, our self-hosted error tracking service (BugSink) may collect technical details such as error messages, browser/device info, and IP address to help us identify and fix issues.

2. How We Use Your Information

• Process and confirm flight bookings on your behalf.
• Process and fulfil merchandise orders from our shop.
• Send booking confirmation, itinerary, e-ticket, and order confirmation emails.
• Notify you of flight schedule changes, cancellations, or status updates.
• Notify you of shop order status changes and shipping updates.
• Verify your identity and prevent fraud.
• Personalise your experience (e.g., show flights from your nearest airport).
• Improve our platform through privacy-first, cookie-less analytics (Umami).
• Diagnose and fix errors using our self-hosted error tracking (BugSink).
• Comply with legal obligations.

3. Sharing Your Information

We share your personal data only as necessary:

• Duffel Technologies Ltd — our flight booking technology provider. Passenger data (names, dates of birth, passport details) is transmitted to Duffel and onward to airlines to complete your booking.
• Airlines — your booking details are shared with the operating carrier as required to issue your ticket.
• Stripe — our payment processor for shop purchases. Billing details are shared with Stripe to process your merchandise payment securely.
• Printify — our print-on-demand fulfilment partner for the shop. Your name, shipping address, and order details are shared with Printify to produce and deliver your merchandise.
• Resend — our transactional email provider. Your email address is shared with Resend to deliver booking confirmations, order updates, and account notifications.
• BugSink (self-hosted) — our error tracking service. Technical error data may include IP address and browser info. BugSink is self-hosted on our own servers; no data is sent to third parties.
• Umami Analytics (self-hosted) — our privacy-first analytics service. Umami does not use cookies, does not collect personal data, and is self-hosted on our own servers.
• Legal obligations — we may disclose information if required by law or court order.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. Legal Basis for Processing (EU/UK Users)

If you are located in the European Union or United Kingdom, we process your personal data under the following legal bases (GDPR Art. 6):

• Contract performance — processing your booking information, passenger details, and payment to fulfil your flight booking or shop order contract.
• Legitimate interests — fraud prevention, security monitoring, and improving our platform.
• Legal obligation — retaining financial records as required by applicable law.
• Consent — analytics cookies and marketing communications (where you have opted in). You may withdraw consent at any time.

5. Data Retention

We retain your personal data for as long as your account is active and as needed to provide you with our services. After account closure, we retain data as required by law (e.g., financial and tax records) and delete remaining personal data upon request. To request account deletion, email [email protected].

6. Your Rights

You have the following rights regarding your personal data:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion of your data, subject to legal obligations.
• Restriction of processing — ask us to limit how we use your data in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days (one calendar month as required under GDPR).

EU/UK residents also have the right to lodge a complaint with your national data protection authority (DPA). A list of EU DPAs is available at edpb.europa.eu. UK residents may contact the ICO.

7. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• Right to delete — request deletion of personal information we have collected from you (subject to exceptions).
• Right to correct — request correction of inaccurate personal information.
• Right to opt-out of sale/sharing — we do not sell or share your personal information for cross-context behavioural advertising.
• Right to non-discrimination — we will not discriminate against you for exercising any CCPA rights.

To submit a CCPA request, email [email protected] with the subject line "CCPA Request." We will respond within 45 days.

8. Cookies

We use cookies and similar technologies to operate our website, remember your preferences, and analyse traffic. Please see our Cookie Policy for full details.

9. Security

We use industry-standard security measures including HTTPS encryption, hashed passwords, and access controls to protect your data. However, no method of transmission over the internet is 100% secure and we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required under GDPR Art. 33). If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (GDPR Art. 34).

11. Children's Privacy

Our Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe we have collected data from a child, please contact us and we will delete it promptly.

12. International Data Transfers

Your data may be processed in countries outside your own, including the United States and the United Kingdom (where Duffel is headquartered). Transfers are carried out using appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an equivalent level of protection wherever it is processed.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice on our website. The "Last updated" date at the top reflects the most recent revision.

14. Contact Us

For privacy-related questions or requests, contact:
[email protected]
palapavibez.com