Legal

Privacy Policy

Your privacy is important to us. This policy explains how Cflyght, operated by CFT HULA, collects, uses, and protects your personal information.

Last updated: January 1, 2025

Secure Data

256-bit SSL encryption

Transparent

Clear data practices

Your Rights

Full GDPR control

Compliant

GDPR & EU law ready

1Introduction & Data Controller

This Privacy Policy describes how Cflyght, operated by CFT HULA ("Company," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you access or use our website, mobile applications, and travel booking services (collectively, the "Services").

By using our Services, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

This Privacy Policy is incorporated into and subject to our Terms of Service. We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and other relevant European privacy legislation.

Data Controller Information

Brand

Cflyght

Operated By

CFT HULA

Address

5 Rue de la Martinière, 41100 Thoré-la-Rochette, France

privacy@cflyght.com

Phone

+33 1 42 68 53 00

2Information We Collect

We collect information you provide directly to us, information collected automatically when you use our Services, and information from third-party sources to provide and improve our travel booking services.

2.1 Information You Provide Directly

Account Information: Name, email address, phone number, password, and account preferences when you register for an account.
Booking Information: Traveler names, dates of birth, gender, passport/ID details, frequent flyer numbers, seat preferences, meal preferences, and special assistance requirements.
Payment Information: Credit/debit card numbers, billing address, and payment verification details (processed securely by PCI-DSS compliant payment processors).
Communication Data: Messages, emails, and other communications you send to us through our contact forms, customer support channels, or social media.

2.2 Information Collected Automatically

Device Information: Hardware model, operating system version, unique device identifiers, browser type and version, mobile network information.
Log Data: IP address, access dates and times, pages viewed, links clicked, referring/exit pages, and error logs.
Location Data: General geographic location based on IP address; precise location only with your explicit consent.
Cookies and Tracking Technologies: Cookies, web beacons, pixels, and similar technologies to enhance user experience and analyze usage patterns. See our Cookie Policy for details.

2.3 Information from Third Parties

Duffel API (Flight Data Provider): We use the Duffel API to power our flight search and booking services. When you search for or book flights, flight availability, pricing, and booking data is processed through this service.
Airlines and Travel Partners: Booking confirmation details, flight status updates, and loyalty program information.
Payment Processors: Transaction verification, fraud detection data, and payment status.

3How We Use Your Information

We use your personal information only for legitimate business purposes, including:

Service Delivery

Process and manage flight bookings
Issue electronic tickets and confirmations
Facilitate payments and refunds
Provide customer support and assistance
Send booking confirmations and travel updates

Account Management

Create and maintain your account
Authenticate your identity
Save preferences and booking history
Manage communication preferences
Provide personalized recommendations

Security & Compliance

Detect and prevent fraud
Comply with legal obligations
Respond to legal requests
Enforce our Terms of Service
Protect rights and safety

Improvement & Analytics

Analyze usage patterns and trends
Improve our Services and features
Develop new products and services
Conduct research and analysis
Test new features and functionality

4Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

Contractual Necessity

Processing necessary to perform our contract with you, including booking flights and providing travel services.

Legal Obligation

Processing necessary to comply with legal requirements, such as tax obligations, anti-money laundering laws, and aviation security regulations.

Legitimate Interests

Processing necessary for our legitimate business interests, including fraud prevention, service improvement, and direct marketing (where permitted).

Consent

Where required by law, we obtain your explicit consent before processing, such as for marketing communications or non-essential cookies.

6International Data Transfers

As a global travel booking service, your personal information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

When we transfer personal data outside the EEA or UK, we ensure appropriate safeguards are in place: Standard Contractual Clauses (SCCs) approved by the European Commission, transfers to countries with adequate data protection laws, Binding Corporate Rules where applicable, and your explicit consent for specific transfers when required.

7Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations.

Booking records & transaction data: 7 years (legal/tax requirements)
Account information: Duration of account + 3 years
Customer support communications: 3 years after resolution
Marketing preferences: Until consent withdrawal
Website analytics data: 26 months (anonymized thereafter)

8Data Security

We implement comprehensive technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Technical Safeguards

256-bit SSL/TLS encryption for data in transit
AES-256 encryption for data at rest
Multi-factor authentication (MFA)
Regular security assessments and penetration testing
Intrusion detection and prevention systems
Real-time security monitoring

Organizational Safeguards

Employee security training and awareness
Access controls and least privilege principles
Background checks for employees handling sensitive data
Incident response procedures
Vendor security assessments
Regular policy reviews and updates

9Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

Right to Access: Request a copy of the personal information we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal information.
Right to Erasure: Request deletion of your personal information in certain circumstances.
Right to Restriction: Request that we limit processing of your personal information.
Right to Data Portability: Receive your data in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests or for marketing.

10Children's Privacy

Our Services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16 without parental consent.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@cflyght.com. We will take steps to delete such information promptly.

Note: When booking flights for minor travelers, we collect only the information necessary to complete the booking as required by airlines and aviation regulations.

11Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Effective Date" at the top of this policy, notify you via email or prominent notice on our website, and provide you with the opportunity to review the changes before they take effect.

12Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Team.

Contact Details

Company