Privacy Policy

1. Data Controller

FlyByDate, LLC is the data controller responsible for personal data collected through the Service. For GDPR purposes, we are established in the United States and process data from EU/EEA residents on the basis described in Section 4.

Contact our privacy team at privacy@flybydate.com or see Section 15 for full contact details.

2. Data We Collect

We collect personal data in the following categories:

Account & Profile Data

• Name, email address, date of birth, and gender identity
• Profile photos and biography
• Preferences (interests, meeting preferences, age range)
• Account credentials (hashed password if email/password registration)

Flight & Location Data

• Voluntarily submitted flight details: airline, flight number, origin/destination airports, scheduled flight times
• Current airport / terminal location (if location permission granted)
• Approximate geographic location derived from IP address

Activity & Usage Data

• Swipe activity (likes, passes) — stored pseudonymously
• Messages sent within the Service (end-to-end not currently encrypted; do not send sensitive information)
• Feature usage, screen views, and session duration

Device & Technical Data

• IP address, browser type and version, operating system
• Device type and identifiers
• Log data (timestamps, pages viewed, errors)
• Cookies and similar tracking technologies (see Section 10)

Communications

• Messages you send us (support requests, feedback, reports)
• Your email address for transactional and promotional communications

Third-Party Authentication Data

• If you sign in with Google, we receive your name, email address, and profile picture as permitted by your Google account settings

We do not collect or store payment card numbers directly. Payment processing is handled by third-party payment processors (e.g., Stripe) subject to their own privacy policies.

3. How We Use Your Data

We use your personal data for the following purposes:

• Providing the Service: creating and managing your account, facilitating matching with other travelers, enabling in-app messaging
• AI-Powered Matching: processing your profile data and flight information through algorithmic systems to generate match suggestions
• Safety & Trust: detecting and preventing fraud, abuse, harassment, and prohibited content; verifying user eligibility; responding to reports
• Communications: sending transactional emails (account confirmations, password resets, match notifications) and, with your consent, promotional communications
• Service Improvement: analyzing usage patterns to improve features, performance, and user experience
• Legal Compliance: complying with applicable laws, regulations, and lawful requests from authorities
• Dispute Resolution: maintaining records necessary to resolve disputes and enforce our Terms

We do not sell your personal data to data brokers or advertising networks.

4. Legal Basis for Processing (GDPR)

If you are located in the EU/EEA or UK, we process your personal data under the following legal bases pursuant to GDPR Article 6:

• Contract (Art. 6(1)(b)): Processing necessary to provide the Service under our Terms of Service — account management, matching, and messaging
• Legitimate Interests (Art. 6(1)(f)): Fraud prevention, security monitoring, service improvement, and direct marketing to existing users (where overridden by your interests)
• Legal Obligation (Art. 6(1)(c)): Compliance with applicable EU/Member State laws
• Consent (Art. 6(1)(a)): Sending marketing communications; processing location data via device permissions; certain analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing

Where we process special category data (e.g., inferred sexual orientation from swipe preferences), we rely on your explicit consent under Art. 9(2)(a) GDPR, which you may withdraw at any time by deleting your account.

5. Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data in the following limited circumstances:

With Other Users

Profile information you provide (name, photos, bio, interests, airport) is visible to other users for matching purposes. Flight details are shown at a general level (e.g., "departing from JFK today") — we do not display your full flight number or booking reference to other users without your consent.

Service Providers

We engage trusted third-party vendors to support the Service, including:

• Supabase: database hosting and authentication (data processed in the US/EU)
• Vercel: application hosting and delivery
• Stripe: payment processing
• SendGrid / Resend: transactional email delivery
• Analytics providers: service usage analytics (non-identifying where possible)

All processors are bound by data processing agreements and are prohibited from using your data for their own purposes.

Legal Requirements

We may disclose data if required by law, court order, subpoena, or regulatory authority, or where necessary to protect the rights, property, or safety of FlyByDate, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of the transaction. We will notify you via email or prominent notice before data is transferred and becomes subject to a different privacy policy.

6. Flight Data — Special Considerations

Flight information is the core functional data of our Service. We treat it with heightened care:

• Flight data is used only to facilitate time-limited matching with travelers in the same airport window
• Flight details are not shared with airlines, airport authorities, government agencies, or advertisers except as required by law
• Specific flight numbers submitted by users are never displayed publicly to other users — only general location context (airport + approximate time)
• Flight data is automatically purged within 72 hours of the flight's scheduled departure, subject to legal hold requirements
• You may delete your flight records at any time through the app

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account & profile data: Retained for the life of the account, plus 30 days after deletion request to allow for recovery
• Flight data: Purged within 72 hours of the scheduled flight departure
• Chat messages: Retained for 90 days after the matching window ends, then permanently deleted
• Activity logs: Retained for up to 12 months for fraud prevention and debugging
• Legal holds: Data subject to active legal proceedings may be retained beyond standard periods
• Waitlist data: Retained until the waitlist program ends or you request deletion

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@flybydate.com or through the Contact page. We will respond within 30 days (or 45 days where permitted by law). We may need to verify your identity before processing requests.

You will not be discriminated against for exercising your privacy rights.

9. California Residents — CCPA/CPRA Rights

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collected about you, the sources, business purposes, and categories of third parties with whom we shared it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm
• Right to Limit Sensitive Personal Information: Limit our use of sensitive personal information to that necessary to provide the Service
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of personal information collected in the last 12 months: Identifiers; Personal information categories listed in CA Civil Code §1798.80(e); Internet or other electronic network activity; Geolocation data; Inferences drawn from personal information.

To submit a verifiable consumer request, contact privacy@flybydate.com. We will respond within 45 days.

10. Cookies and Tracking Technologies

We use cookies and similar technologies including local storage and session storage to:

• Essential cookies: Maintain your authentication session and user preferences (required for the Service to function)
• Analytics cookies: Understand how users interact with the Service (may be disabled without affecting core functionality)
• Performance cookies: Monitor Service performance and diagnose errors

We do not use third-party advertising cookies or tracking pixels for behavioral advertising.

You can control cookies through your browser settings. Disabling essential cookies will impair your ability to use the Service. For EU/EEA users, non-essential cookies require your consent.

11. Children's Privacy

The Service is strictly for users aged 18 and older. We do not knowingly collect personal data from individuals under 18. If we learn that we have collected data from a minor, we will delete it immediately. If you believe a minor has registered with our Service, please contact us at privacy@flybydate.com.

12. International Data Transfers

FlyByDate operates in the United States. If you are located outside the US, your data may be transferred to and processed in the US, which may have different data protection standards than your country.

For transfers of EU/EEA personal data to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and/or other lawful transfer mechanisms as applicable.

For UK residents, we rely on the UK International Data Transfer Agreement (IDTA) or equivalent mechanisms.

13. Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• TLS encryption for data in transit
• AES-256 encryption for sensitive data at rest
• Row-level security (RLS) policies on our database
• Regular security reviews and penetration testing
• Access controls limiting employee access to personal data on a need-to-know basis

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify affected users and relevant authorities as required by law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or a prominent notice in the Service, and update the "Last Updated" date above. We encourage you to review this Policy periodically.

Your continued use of the Service following notice of changes constitutes acceptance of the updated Policy.

15. Contact & Data Protection Officer

For privacy-related inquiries, data subject requests, or to contact our Data Protection Officer:

If you are an EU/EEA resident and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your national Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu.