1. Data Controller
The data controller for your personal data is:
- Company name: [RAGIONE SOCIALE]
- Registered office: [SEDE LEGALE]
- VAT Number (P.IVA): [P.IVA]
- Email: info@pop2fly.com
- Certified email (PEC): [PEC]
This Privacy Policy describes how POP2FLY collects, uses, stores, and protects your personal data when you use our website pop2fly.com and related services, in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code) as amended.
2. What Personal Data We Collect
2.1 Flight Booking Data
When you book a flight, we collect:
- First name and last name
- Date of birth (to verify minimum age of 18)
- Identity document number (passport or ID card)
- Gender
- Email address
- Phone number
- Flight selection, route, extras, and price paid
2.2 Flight Request Data
When no flights match your search and you submit a request, we collect:
- First name and last name
- Email address and phone number
- Desired departure, arrival, date, number of passengers, and optional notes
2.3 Partner Account Data
When an aviation company registers as a partner, we collect:
- Company name and email address
- Account password (stored encrypted using bcrypt hashing)
2.4 Chat Data
When you use our chatbot assistant, we collect:
- Text messages you send (up to 2,000 characters per message)
- Voice messages (audio is transcribed and then deleted)
- Session identifier and IP address
2.5 Technical and Analytics Data
When you browse our website, we automatically collect:
- IP address
- Device type (mobile, tablet, desktop), browser type, and screen size
- Pages visited, scroll depth, and click behavior
- HTTP referrer (the website that directed you to us)
- Marketing campaign parameters (UTM tags) if present in the URL
- A randomly generated visitor identifier (not linked to your identity)
3. Purposes and Legal Basis
| Purpose |
Data Processed |
Legal Basis (GDPR) |
| Process flight bookings and issue confirmations |
Name, DOB, document, gender, email, phone, flight details |
Art. 6(1)(b) — Performance of a contract |
| Send booking confirmation emails |
Email, name, flight details, confirmation code |
Art. 6(1)(b) — Performance of a contract |
| Process flight requests when no flights are available |
Name, email, phone, route preferences |
Art. 6(1)(b) — Pre-contractual measures |
| Provide chatbot assistance |
Chat messages, session ID, IP address |
Art. 6(1)(f) — Legitimate interest (customer support) |
| Manage partner accounts |
Company name, email, hashed password |
Art. 6(1)(b) — Performance of a contract |
| Website analytics (with consent) |
Anonymized IP, pages visited, behavior, device info |
Art. 6(1)(a) — Consent |
| Prevent fraud and ensure platform security |
IP address, login attempts, rate limiting |
Art. 6(1)(f) — Legitimate interest (security) |
| Monitor and fix errors |
Error logs, stack traces (no PII) |
Art. 6(1)(f) — Legitimate interest (platform stability) |
4. Third-Party Data Sharing
We share your data with the following categories of third-party service providers, solely for the purposes described above:
| Service Provider |
Purpose |
Data Shared |
Data Location |
| Google Analytics (Google LLC) |
Website analytics |
Anonymized IP, page views, behavior |
USA (EU-US Data Privacy Framework) |
| Microsoft Clarity (Microsoft Corp.) |
Session recordings and heatmaps |
Anonymized browsing behavior |
USA (EU-US Data Privacy Framework) |
| Groq Inc. |
AI chatbot responses and voice transcription |
Chat message text, audio for transcription |
USA |
| Gmail SMTP (Google LLC) |
Sending transactional emails |
Recipient email, name, booking details |
USA (EU-US Data Privacy Framework) |
| Sentry (Functional Software Inc.) |
Error monitoring |
Error logs only (no PII) |
USA |
| Fly.io Inc. |
Website hosting |
All data processed through servers |
EU (Frankfurt, Germany) |
Where data is transferred outside the European Economic Area (EEA), we rely on adequacy decisions, the EU-US Data Privacy Framework, or Standard Contractual Clauses (SCCs) as appropriate safeguards under GDPR Chapter V.
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
5. Data Retention
We retain your personal data only for as long as necessary for the purposes described in this policy:
| Data Type |
Retention Period |
| Booking data |
10 years from the booking date (legal/fiscal obligation) |
| Flight requests |
12 months from the submission date, then deleted |
| Partner accounts |
Duration of the partnership, plus 12 months after termination |
| Chat messages |
6 months for customer support improvement, then deleted |
| Visit logs and analytics |
Rolling limit of 5,000 records (oldest automatically deleted) |
| Behavioral tracking events |
Rolling limit of 50,000 records (oldest automatically deleted) |
| Security logs (IP, login attempts) |
Cleared from memory within 10 minutes of expiry |
6. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR. You can exercise any of these rights by contacting us at info@pop2fly.com:
- Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — You can request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17) — You can request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18) — You can request that we limit the processing of your data in certain circumstances.
- Right to data portability (Art. 20) — You can request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — You can object to processing based on legitimate interest, including profiling.
- Right to withdraw consent (Art. 7) — Where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time by rejecting cookies via your browser settings.
We will respond to your request within 30 days. If we need more time, we will notify you of the extension and the reasons for the delay.
You also have the right to lodge a complaint with your national data protection authority. In Italy, this is the Garante per la protezione dei dati personali (www.garanteprivacy.it).
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit — All connections use HTTPS/TLS encryption with HSTS enforcement.
- Password security — All passwords are hashed using bcrypt and never stored in plain text.
- CSRF protection — All forms are protected against cross-site request forgery attacks.
- Content Security Policy — Strict CSP headers prevent cross-site scripting (XSS) attacks.
- Rate limiting — All endpoints are rate-limited to prevent abuse.
- Brute-force protection — Login attempts are limited with automatic lockout after repeated failures.
- Secure cookies — Session cookies are HTTPOnly, Secure, and SameSite=Lax.
- Input validation — All user inputs are validated and sanitized to prevent injection attacks.
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. For detailed information about which cookies we use, their purposes, and how to manage them, please see our Cookie Policy.
In summary: essential cookies are always active; analytics cookies (Google Analytics, Microsoft Clarity) are only activated after your explicit consent via the cookie banner.
9. Protection of Minors
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. Flight bookings require the user to be at least 18 years old, which is verified through the date of birth provided during booking. If we become aware that we have collected personal data from a person under 18, we will promptly delete such data.
10. Automated Decision-Making
POP2FLY does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Our chatbot uses artificial intelligence (Groq/LLaMA) to provide informational assistance, but it does not make decisions about bookings, pricing, or access to services.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with a revised "Last updated" date. For significant changes that affect how we process your personal data, we will make reasonable efforts to notify you (e.g., via a notice on our website).
12. Contact Us
For any questions regarding this Privacy Policy or to exercise your rights, please contact: