Privacy Policy

Last updated: 21 March 2026

1. Data Controller

FlyScout ("we", "us", "our") is the data controller responsible for your personal data. If you have questions about this policy or your data, contact us at our contact page.

2. What Data We Collect

We collect the minimum data necessary to provide our service:

  • Account data — email address, first name, and surname. Provided when you sign in via Google or magic link.
  • Payment data — managed entirely by Stripe. We do not store your card number, expiry, or CVC. We store your Stripe customer ID and subscription status.
  • Alert preferences — origin/destination airports, price thresholds, and date ranges you configure for deal alerts.
  • Session data — a session token stored in a secure, HTTP-only cookie to keep you signed in.

Flight fare data displayed on the site is publicly available pricing information and does not constitute personal data.

3. Why We Collect It

  • To provide the service — your account lets you save alerts and manage a Pro subscription.
  • To send deal alerts — we check fares against your alert thresholds and email you when prices drop.
  • To process payments — Stripe handles Pro subscription billing on our behalf.
  • To send essential emails — sign-in links, welcome messages, and subscription confirmations.

4. Legal Basis (GDPR)

  • Contract performance — processing your account data, alerts, and subscriptions is necessary to deliver the service you signed up for.
  • Legitimate interest — sending essential transactional emails (sign-in links, payment receipts) and maintaining site security.

We do not process data based on consent for marketing purposes. We do not send promotional emails.

5. Third-Party Processors

We use the following categories of service providers to operate FlyScout. Each processes data on our behalf under GDPR-compliant terms:

  • Database hosting (EU region) — stores account data, sessions, and alerts.
  • Payment processing — handles Pro subscription billing. We do not store your card details.
  • Email delivery — sends sign-in links, deal alerts, and receipts.
  • Cloud hosting — website hosting and serverless infrastructure.
  • Authentication providers — Google OAuth (only if you choose to sign in with Google). We receive your name, email, and profile photo.
  • Analytics — privacy-friendly, cookieless web analytics. No personal data is collected. No cookies are set.

For a full list of specific sub-processors, you may contact us at our contact page.

6. Cookies

FlyScout uses only strictly necessary cookies — a session cookie to keep you signed in. This cookie is essential for the service to function and is exempt from consent requirements under the ePrivacy Directive.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Our analytics provider operates without cookies entirely.

7. Data Retention

  • Account data — retained for as long as your account exists. When you delete your account, it is soft-deleted (marked as deleted) and all alerts are deactivated. You can reactivate your account by signing in again. Permanently purged after 90 days of inactivity.
  • Session tokens — expire automatically after 7 days.
  • Payment records — retained by our payment processor per their legal obligations. We retain subscription status for the duration of your account.
  • Deal alerts — deleted when you delete the alert or your account.

8. Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — delete your account from the account settings page. Your account is soft-deleted and can be reactivated by signing in again. For permanent erasure, contact us via our contact page.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent (currently not applicable).

To exercise any of these rights, email our contact page. We will respond within 30 days.

9. Data Security

All data is transmitted over HTTPS. Database connections use SSL. Passwords are never stored (we use OAuth and magic links). Payment data is handled entirely by Stripe and never touches our servers.

10. Children

FlyScout is not directed at children under 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this policy from time to time. We will notify registered users by email of any material changes. The "last updated" date at the top of this page reflects the most recent revision.