FLYCONNECT LIMITED PRIVACY POLICY

1.1 We are committed to safeguarding the privacy of our website visitors, service users, individual customers and customer personnel.

1.2 This policy applies where we are acting as a data controller with respect to the personal data of such persons; in other words, where we determine the purposes and means of the processing of that personal data.

1.3 Our website incorporates privacy controls which affect how we will process your personal data. By using the privacy controls, you can specify whether you would like to receive direct marketing communications and limit the collection, sharing and publication of your personal data.

1.4 We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you first visit our website.

2.1 In this Section 2 we have set out the general categories of personal data that we process and, in the case of personal data that we did not obtain directly from you, information about the source and specific categories of that data.

2.2 Contact Data

We may process data enabling us to get in touch with you ("contact data"). The contact data may include your name, email address, telephone number, postal address and/or social media account identifiers. The source of the contact data is you and/or your employer. If you log into our website using a social media account, we will obtain elements of the contact data from the relevant social media account provider.

2.3 Account Data

We may process your website user account data ("account data"). The account data may include your account identifier, name, email address, business name, account creation and modification dates, website settings and marketing preferences. The primary source of the account data is you and/or your employer, although some elements of the account data may be generated by our website. If you log into our website using a social media account, we will obtain elements of the account data from the relevant social media account provider.

2.4 Profile Data

We may process your information included in your personal profile on our website ("profile data"). The profile data may include your name, address, telephone number, email address, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details and employment details. The source of the profile data is you and/or your employer. If you log into our website using a social media account, we will obtain elements of the profile data from the relevant social media account provider.

2.5 Customer Relationship Data

We may process information relating to our customer relationships ("customer relationship data"). The customer relationship data may include your name, the name of your business or employer, your job title or role, your contact details, your classification / categorization within our customer relationship management system and information contained in or relating to communications between us and you, or between us and your employer. The source of the customer relationship data is you and/or your employer.

2.6 Service Data

We may process personal data that is provided during your use of our services or generated through the operation of our services ("service data"). This may include information related to you, your employer, or our services.

2.7 Transaction Data

We may process information relating to transactions, including purchases of goods and/or services that you enter into with us and/or through our website ("transaction data"). The transaction data may include:

• Your name
• Your contact details
• Your payment card details (or other payment details)
• Details of the transaction

The source of the transaction data is you and/or our payment services provider.

2.8 Communication Data

We may process information contained in or relating to any communication that you send to us or that we send to you ("communication data"). The communication data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms.

2.9 Usage Data

We may process data about your use of our website and services ("usage data"). The usage data may include:

• Your IP address
• Geographical location
• Browser type and version
• Operating system
• Referral source
• Length of visit
• Page views and website navigation paths
• Information about the timing, frequency, and pattern of your service use

The source of the usage data is our analytics tracking system.

2.10 Additional Data Categories

We may process general categories of data. This data may include specific items relevant to our services and operations. The source of this data will be identified based on its nature and collection method.

3.1 In this section, we outline the purposes for which we may process personal data and the legal bases for such processing.

3.2 Operations

We may process your personal data for the purposes of:

• Operating our website
• Processing and fulfilling orders
• Providing our services
• Supplying our goods
• Generating invoices, bills, and other payment-related documentation
• Credit control

The legal basis for this processing is our legitimate interests, namely the proper administration of our website, services, and business, or the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

3.3 Publications

We may process account data, profile data, and/or service data for the purposes of publishing such data on our website and elsewhere through our services in accordance with your express instructions.

The legal basis for this processing is either:

• Consent
• Our legitimate interests, namely the publication of content in the ordinary course of our operations
• The performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract

3.4 Relationships and Communications

We may process contact data, account data, customer relationship data, transaction data, and/or communication data for the purposes of:

• Managing our relationships
• Communicating with you (excluding direct marketing) via email, SMS, post, fax, and/or telephone
• Providing support services
• Handling complaints

The legal basis for this processing is our legitimate interests, namely communications with our website visitors, service users, individual customers, and customer personnel, the maintenance of our relationships, enabling the use of our services, and the proper administration of our website, services, and business.

3.5 Personalization

We may process account data, service data, and/or usage data for the purposes of personalizing the content and advertisements that you see on our website and services to ensure you only see relevant material.

The legal basis for this processing is either:

• Consent
• Our legitimate interests, namely offering the best possible experience for our website visitors and service users
• The performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract

3.6 Direct Marketing

We may process contact data, account data, profile data, customer relationship data, and/or transaction data for the purposes of:

• Creating, targeting, and sending direct marketing communications via email, SMS, and post
• Making contact by telephone for marketing-related purposes

The legal basis for this processing is either:

• Consent
• Our legitimate interests, namely promoting our business and communicating marketing messages and offers to our website visitors and service users

3.7 Research and Analysis

We may process usage data, service data, and/or transaction data for the purposes of researching and analyzing the use of our website and services, as well as researching and analyzing other interactions with our business.

The legal basis for this processing is either:

• Consent
• Our legitimate interests, namely monitoring, supporting, improving, and securing our website, services, and business generally

3.8 Record Keeping

We may process your personal data for the purposes of:

• Creating and maintaining our databases
• Back-up copies of our databases
• Maintaining our business records

The legal basis for this processing is our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this policy.

3.9 Security

We may process your personal data for the purposes of security and the prevention of fraud and other criminal activity. The legal basis for this processing is our legitimate interests, namely the protection of our website, services, business, and the protection of others.

3.10 Insurance and Risk Management

We may process your personal data where necessary for the purposes of:

• Obtaining or maintaining insurance coverage
• Managing risks
• Obtaining professional advice

The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.

3.11 Legal Claims

We may process your personal data where necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights, and the legal rights of others.

4.1 We will use your personal data for the purposes of automated decision-making in relation to fraud detection and prevention, risk assessment for transactions, personalized marketing recommendations, and automated customer support responses.

4.2 This automated decision-making will involve analyzing transaction patterns and user behavior to detect fraudulent activities, assessing risk levels based on transaction history and account activity, using machine learning algorithms to suggest relevant products and services, and automated chatbot responses based on predefined rules and natural language processing.

5.1 We may disclose your personal data to our affiliates insofar as reasonably necessary for the purposes and on the legal bases set out in this policy.

5.2 We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, and obtaining professional advice.

5.3 Your personal data held in our website database will be stored on the servers of our hosting services providers.

5.4 We may disclose your name, email address, telephone number, postal address to our suppliers or subcontractors insofar as reasonably necessary for the completion of the services requested by you. We need to share details for all passengers on the booking with the airline, or any other supplier we are buying your requested service from. This will include personal information for all passengers such as title, name, date of birth and sometimes passport information including nationality (for Advanced Passenger Information purposes). It will also include more sensitive data such as medical information and details of any special requirements, or dietary information however; we will only share information that is relevant and necessary to fulfil your booking.

5.5 Financial transactions relating to our website and services may be handled by our payment services providers. We will share transaction data with our payment services providers only to the extent necessary for processing your payments, refunding such payments, and dealing with complaints and queries related to such payments and refunds.

5.6 We may disclose contact data along with any other personal data contained in enquiries made through our website or services to one or more of those selected third-party suppliers of goods and/or services identified on our website for the purpose of enabling them to contact you so that they can offer, market, and sell to you relevant goods and/or services. Each such third party will act as a data controller in relation to the personal data that we supply to it, and upon contacting you, each such third party will provide you with a copy of its own privacy policy, which will govern that third party's use of your personal data.

6.1 In this section, we provide information about the circumstances in which your personal data may be transferred to a third country under UK data protection law, EU data protection law, or both.

6.2 We may transfer your personal data from the European Economic Area (EEA) to the UK and process that personal data in the UK for the purposes set out in this policy, and may permit our suppliers and subcontractors to do so, during any period with respect to which the UK is not treated as a third country under EU data protection law or benefits from an adequacy decision under EU data protection law. Similarly, we may transfer your personal data from the UK to the EEA and process that personal data in the EEA for the purposes set out in this policy, and may permit our suppliers and subcontractors to do so, during any period with respect to which EEA states are not treated as third countries under UK data protection law or benefit from adequacy regulations under UK data protection law.

6.3 Our affiliates may have offices and facilities in other countries. Any transfers of personal data to such countries are subject to the data protection laws and regulatory requirements applicable to those affiliates. The implementation and compliance with appropriate safeguards, including the use of standard data protection clauses or binding corporate rules, remain the sole responsibility of the respective affiliates in accordance with their legal obligations.

6.4 The hosting facilities for our website are situated in United Kingdom. The competent data protection authorities have made an adequacy determination with respect to the data protection laws of each of these countries. Transfers to each of these countries will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the competent data protection authorities.

6.5 Our affiliates are situated in various countries. Any transfers of personal data to such countries are subject to the data protection laws and regulatory requirements applicable to those affiliates. The implementation and compliance with appropriate safeguards, including the use of standard data protection clauses, remain the sole responsibility of the respective affiliates in accordance with their legal obligations.

7.1 This section sets out our data retention policies and procedures, which are designed to help ensure compliance with our legal obligations regarding the retention and deletion of personal data.

7.2 Personal data that we process for any purpose shall not be kept for longer than necessary for that purpose.

7.3 We will retain your personal data as follows:

1. Contact data will be retained for a minimum period of 12 months following the most recent contact between you and us and a maximum period of 24 months.
2. Account data will be retained for a minimum period of 12 months following the closure of the relevant account and a maximum period of 24 months.
3. Profile data will be retained for a minimum period of 12 months following the deletion of the profile and a maximum period of 24 months.
4. Customer relationship data will be retained for a minimum period of 12 months following the termination of the relevant customer relationship and a maximum period of 24 months.
5. Service data will be retained for a minimum period of 12 months following the termination of the relevant contract and a maximum period of 24 months.
6. Transaction data will be retained for a minimum period of 12 months following the transaction date and a maximum period of 24 months.
7. Communication data will be retained for a minimum period of 12 months following the date of the communication and a maximum period of 24 months.
8. Usage data will be retained for 12 months following the date of collection.

8.1 We will implement appropriate technical and organizational measures to secure your personal data and prevent its loss, misuse, or alteration.

8.2 Your personal data will be stored on secure servers. The servers likely use encryption (at rest and in transit) to protect data. Only authorized personnel can access the servers. The data centers have physical safeguards like security personnel, surveillance, and controlled access. Measures are in place to prevent data loss from hardware failure or disasters.

8.3 The following personal data will be stored in encrypted form: your name, contact information, passwords, and cardholder data.

8.4 Data related to your enquiries and financial transactions transmitted between your web browser and our web server will be protected using encryption technology.

8.5 You acknowledge that the transmission of unencrypted or inadequately encrypted data over the internet carries inherent risks, and we cannot guarantee the absolute security of such data.

9.1 In this Section 9, we summarize the rights you have under data protection law. Some rights are complex, and this summary does not include all details. Please refer to the relevant laws and regulatory guidance for a full explanation of these rights.

9.2 Your principal rights under data protection law are:

1. The right to access – You can request copies of your personal data.
2. The right to rectification – You can ask us to correct inaccurate or incomplete personal data.
3. The right to erasure – You can request the deletion of your personal data in certain circumstances.
4. The right to restrict processing – You can ask us to limit the processing of your personal data under specific conditions.
5. The right to object to processing – You can object to our processing of your personal data in some cases.
6. The right to data portability – You can request that we transfer your personal data to another organization or to you.
7. The right to complain to a supervisory authority – You can lodge a complaint if you believe our processing of your personal data violates data protection laws.
8. The right to withdraw consent – If our processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

9.3 These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en and https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/

9.4 You have the right to confirmation of whether we process your personal data. Where we do, you can access it along with additional details about the purposes of processing, data categories, and recipients. The first copy of your personal data will be provided free of charge; additional copies may be subject to a reasonable fee. You can access your personal data by visiting the designated section of our website when logged into your account.

9.5 You have the right to request the rectification of inaccurate or incomplete personal data.

9.6 In some circumstances, you have the right to request the erasure of your personal data without undue delay. These circumstances include:

• The personal data is no longer necessary for the purposes for which it was collected.
• You withdraw consent for processing based on consent.
• You object to the processing under applicable data protection laws.
• The processing is for direct marketing purposes.
• The personal data has been unlawfully processed.

However, there are exclusions to this right, such as when processing is necessary:

• For exercising freedom of expression and information.
• For compliance with a legal obligation.
• For the establishment, exercise, or defense of legal claims

9.7 You have the right to request the restriction of processing in the following circumstances:

• You contest the accuracy of the personal data.
• Processing is unlawful, but you oppose erasure.
• We no longer need the personal data for processing purposes, but you require it for legal claims.
• You have objected to processing, pending verification of that objection.

Where processing is restricted, we may continue to store your personal data but will only process it with your consent, for legal claims, to protect another's rights, or for public interest reasons.

9.8 You have the right to object to our processing of your personal data based on legitimate interests or public interest unless we demonstrate compelling legitimate grounds that override your interests or processing is necessary for legal claims.

9.9 You have the right to object to our processing of your personal data for direct marketing (including profiling for direct marketing). If you object, we will stop processing your personal data for this purpose.

9.10 You have the right to object to our processing of your personal data for scientific or historical research or statistical purposes on grounds relating to your situation unless processing is necessary for public interest tasks.

9.11 If the legal basis for our processing of your personal data is:

1. Consent, or
2. Performance of a contract to which you are a party or steps prior to entering into a contract,

and such processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. However, this right does not apply where it would affect the rights and freedoms of others.

9.12 If you believe our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. Under EU data protection law, you may do so in the EU member state where you reside, work, or where the alleged infringement occurred. Under UK data protection law, you should file complaints in the UK.

9.13 If our processing of your personal data is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.1 Our website includes hyperlinks to, and details of, third party websites.

12.1 You may contact us at any time to request details of the personal data we hold about you by emailing support@flyconnect.co.uk.

12.2 If you believe that any information we hold about you is inaccurate or incomplete, you may email us at support@flyconnect.co.uk, and we will promptly review and update it as necessary.