Privacy Policy

Effective date: May 16, 2026

FlightFlow is a flight tracking service. This policy explains what data the FlightFlow operator collects, why, and what we do not do.

What we collect

• Email address. Only when you create an account or opt in to notifications from a share link. You can use core tracking without creating an email account.
• Flight history. The flight numbers and dates you add, plus the derived schedule, status, and timing data we fetch on your behalf.
• Subscription history. Entitlement state from RevenueCat (plan tier, purchase date). We do not store card numbers.
• Device data. Device model, OS version, locale (Firebase Analytics defaults). Used to debug and improve the app.
• Location data. Only when you enable a feature that needs it, such as gate navigation or pickup mode. We do not track you between trips.
• Crash reports. Device state at crash time, via Firebase Crashlytics. Retained 90 days.

What we do not do

• We do not sell your data. Ever.
• We do not run targeted advertising.
• We do not set tracking cookies on share-link recipient pages.
• We do not fingerprint devices, embed third-party ad SDKs, or share data with data brokers.

Third parties (processors)

These vendors process data on our behalf under Data Processing Agreements and, where applicable, EU Standard Contractual Clauses:

• Firebase and Google Cloud. Auth, Firestore, Cloud Functions, Hosting, Cloud Run, Crashlytics, Analytics.
• RevenueCat. Subscription entitlements.
• FlightAware. Flight schedules, status, and aircraft position where available. No account PII transmitted.
• AeroDataBox. Airport and aircraft data.
• NOAA. METAR, TAF, and aviation weather context. No turbulence forecasts.
• OpenSky Network. Aircraft tail and historical movement context.
• Google Maps Distance Matrix. Airport pickup and gate-navigation distance estimates.
• Postmark. Transactional email.
• Cloudflare. DNS and CDN.

Your rights

FlightFlow is designed to support GDPR (Arts. 15 to 17, 20) and CCPA access, correction, deletion, and export rights. To exercise these rights:

• In-app: Settings, Privacy, Export my data or Delete my account.
• Web: flightapp.co/data-deletion.
• Email: privacy@flightapp.co (response within 30 days).

Children

FlightFlow is not directed at children under 13 and does not knowingly collect data from them (COPPA, 16 CFR §312). If we learn we have collected such data, we will delete it.

Retention

Flight history is retained until you delete your account so you can export, audit, or use it for compensation claims. Share-link data is deleted 48 hours after the flight lands. Crash reports: 90 days. Analytics: 14 months. Account deletion triggers hard-delete after a 30-day soft-delete window.

International transfers

Firebase and RevenueCat may process data in the United States under Standard Contractual Clauses (Schrems II, C-311/18). The iOS 1.0.0 bundle will include the Apple privacy manifest (PrivacyInfo.xcprivacy) declaring APIs accessed and data categories collected.

Changes

We notify you in-app or by email at least 30 days before material changes take effect. Prior versions are archived at /changelog.

Contact

Privacy questions: privacy@flightapp.co.
Data requests: privacy@flightapp.co.