Privacy Policy

1. Identity and Contact Details of the Controller

The data controller is:

FlySociety Private Aviation SL
Registered office: Calle Bahia de Pollensa 5, 28042, Madrid, Spain

For any privacy or data protection concern, please email dpo@flysociety.com

2. Purposes and Legal Basis for Processing

We collect and process personal data for the following purposes:

a. To provide our services to you

This is the main reason we need to collect personal data. We require information about you in order to:

• respond to charter requests and service inquiries;

• prepare quotations and flight options;

• arrange aircraft charter brokerage and related services;

• prepare and conclude agreements;

• send invoices and payment-related communications;

• organize, coordinate, and follow up on flights and related services;

• communicate with passengers, charterers, assistants, family offices, concierges, and other authorized contacts.

In this context, the collection of certain personal data is a contractual requirement, not a statutory one. If the required information is not provided, FlySociety may be unable to prepare a quotation, enter into a contract, or provide the requested services.

Legal basis under GDPR: processing is necessary to take steps at your request prior to entering into a contract and/or to perform a contract.

b. To improve your customer experience and our services

We may process personal data to improve our services, customer experience, and operational efficiency. This may include:

• understanding client preferences;

• tailoring communications and service options;

• remembering trip or catering preferences;

• improving website performance and usability;

• analyzing how our website and communications are used;

• sending updates, service announcements, or marketing communications where permitted by law.

Where you have requested or used our services, we may send you information about similar services, unless you opt out. You may unsubscribe from marketing communications at any time by using the unsubscribe link in the communication or by contacting us directly.

Legal basis under GDPR: legitimate interests and, where required, consent.

c. To comply with legal and regulatory obligations

In certain cases, we are required to collect, use, or disclose personal data to comply with legal, regulatory, tax, anti-fraud, anti-money-laundering, sanctions, aviation security, immigration, customs, or law-enforcement obligations.

Legal basis under GDPR: compliance with a legal obligation.

d. To protect legitimate business interests

We may process personal data where necessary to protect our legitimate interests, including:

• fraud prevention;

• legal claims and dispute management;

• internal reporting and administration;

• IT security and platform protection;

• enforcing our contractual rights and website terms.

Legal basis under GDPR: legitimate interests, except where overridden by your rights and freedoms.

3. Categories of Personal Data Collected

Depending on the nature of your interaction with us, we may collect the following categories of personal data:

a. Contact details

• full name

• company name

• telephone number

• email address

• billing or physical address

b. Identity and passenger information

• date of birth

• nationality

• passport or identification details

• visa-related information where required for travel

• passenger manifest details

c. Travel and service information

• departure and destination details

• travel dates and times

• aircraft preferences

• catering preferences

• ground transportation requirements

• hotel or concierge requests

• special travel requirements

• pet travel information

d. Financial and transaction information

• invoicing details

• payment status

• transaction-related information

• limited payment details where relevant through payment service providers

e. Relationship and preference data

• language preferences

• communication preferences

• service history

• loyalty, referral, or account-related information

• client and passenger preferences

f. Technical and usage data

• IP address

• browser type

• device information

• website interaction data

• cookie and analytics data

• records of communications or enquiries

g. Sensitive personal data

We do not seek to collect sensitive personal data unless strictly necessary for the requested service, legal compliance, or safety requirements. Where needed, this may include health-related or accessibility information relevant to a flight or special assistance request. Where required by law, we will rely on an appropriate legal basis and apply additional safeguards.

4. Sources of Personal Data

We may collect personal data:

• Directly from you;

• From someone acting on your behalf, such as an assistant, family office, corporate travel arranger, concierge, or broker partner;

• From operators, service providers, and partners involved in your requested services;

• Through our website, forms, cookies, analytics tools, and communications systems;

• From public sources where relevant for legitimate business purposes.

5. Recipients of Personal Data

Personal data may be processed internally by authorized FlySociety personnel, strictly on a need-to-know basis. Where necessary, FlySociety may disclose personal data to the following categories of recipients:

• Licensed aircraft operators, air carriers, and their relevant personnel;

• Airport authorities, airport handlers, FBOs, terminals, ground handling agents, slot coordinators, customs, immigration, and security providers;

• Ancillary travel and lifestyle service providers engaged at your request, such as ground transportation providers, hotels, catering providers, and concierge providers;

• Technology and infrastructure providers supporting FlySociety's operations, including hosting, CRM, communications, and analytics providers;

• Payment service providers, banks, financial institutions, and fraud prevention providers;

• Professional advisers including lawyers, accountants, auditors, insurers, and compliance advisers;

• Regulators, courts, law enforcement, tax authorities, and other public or governmental bodies where required by law;

• Carefully selected business partners or intermediaries involved in the requested service.

FlySociety does not disclose personal data to third parties for their own independent marketing purposes except where you have expressly requested this, consented to it, or where another lawful basis applies.

6. International Transfers of Personal Data

Because FlySociety operates internationally and arranges flights across multiple jurisdictions, personal data may be transferred to, accessed from, or processed in countries outside the European Economic Area ("EEA"). Such transfers may arise where your requested itinerary involves international travel, where an operator or supplier is located outside the EEA, or where a technology provider operates internationally.

Where GDPR applies, FlySociety will ensure that an appropriate transfer mechanism is in place, such as an adequacy decision recognized by the European Commission, Standard Contractual Clauses, or a transfer necessary for the performance of a contract with you. You may contact FlySociety if you would like further information about the safeguards that apply to relevant international transfers.

7. Retention Period

FlySociety retains personal data only for as long as necessary for the purposes described in this Privacy Notice. Unless a longer period is required or permitted by law, FlySociety generally applies the following retention approach:

• Charter inquiries and pre-contract communications: retained for up to 24 months from the date of the last meaningful interaction;

• Client account, booking, passenger, and core service records: retained for up to 6 years from the date of the last completed transaction;

• Invoicing, payment, accounting, tax, and legally required business records: retained for up to 6 years, or longer where required by law;

• Marketing suppression records and unsubscribe data: retained for as long as necessary to respect your marketing preferences;

• Website analytics and technical logs: retained for the period strictly necessary for the relevant purpose;

• Dispute, complaint, and legal claim records: retained for as long as reasonably necessary to establish, exercise, or defend legal claims.

8. Confidentiality and Security Measures

We apply technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include:

• restricted access controls;

• authentication and password protection;

• multi-factor authentication;

• role-based permissions;

• secure cloud environments;

• session timeouts;

• contractual confidentiality obligations;

• staff awareness and privacy handling procedures.

9. Your GDPR Rights

If GDPR applies to the processing of your personal data, you may have the following rights:

a. Right of access

You may request confirmation of whether we process your personal data and access to that data and related information.

b. Right to rectification

You may ask us to correct inaccurate personal data and complete incomplete data.

c. Right to erasure

In certain circumstances, you may ask us to erase your personal data, also known as the "right to be forgotten."

d. Right to restrict processing

You may request restriction of processing in certain circumstances.

e. Right to object

You may object to processing based on legitimate interests and to direct marketing.

f. Right to data portability

Where legally applicable, you may request a copy of certain personal data in a structured, commonly used, machine-readable format and ask for it to be transmitted to another controller.

g. Right not to be subject to certain automated decisions

You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal or similarly significant effects.

h. Right to lodge a complaint

You have the right to lodge a complaint with the competent supervisory authority.

10. California Privacy Rights under CCPA/CPRA

If you are a California resident and the CCPA/CPRA applies to FlySociety's processing of your personal information, you may have the following rights:

a. Right to know

You may request information about the categories of personal information collected, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties to whom it is disclosed.

b. Right to delete

You may request deletion of personal information collected from you, subject to certain exceptions.

c. Right to correct

You may request correction of inaccurate personal information.

d. Right to opt out of sale or sharing

Where applicable, you may direct a business not to sell or share your personal information as those terms are defined by California law.

e. Right to limit the use and disclosure of sensitive personal information

Where applicable, you may request that a business limit certain uses of sensitive personal information.

f. Right to non-discrimination

You have the right not to receive discriminatory treatment for exercising your privacy rights. We do not sell personal information in the ordinary meaning of the word.

11. How to Exercise Your Rights

To exercise your privacy rights, please contact:

Data Protection Officer (DPO)
Email: dpo@flysociety.com
Address: Calle Bahia de Pollensa 5, 28042, Madrid, Spain

Please include:

• your full name;

• the email address or phone number used in your communications with us;

• the right you wish to exercise;

• sufficient information for us to verify your identity and process your request.

12. Marketing Communications

If you no longer wish to receive marketing or promotional communications from FlySociety, you may opt out at any time by:

• clicking the unsubscribe link in the relevant email; or

• contacting us directly.

We may still send non-marketing communications where necessary for service, transactional, legal, or operational purposes.

13. Cookies and Similar Technologies

Our website may use cookies and similar technologies to operate effectively, remember preferences, analyze site usage, improve performance, and support communications and marketing. For more information, please refer to our Cookies Policy or cookie settings notice.

14. Third-Party Websites

Our website may include links to third-party websites, platforms, or services. We are not responsible for the privacy practices, content, or security of those third parties. You should review their privacy notices separately.

15. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in law, regulation, business practices, or services. Any updated version will be posted on the relevant page of our website with the revised effective date.

16. Contact and Complaints

If you have questions or concerns about this Privacy Notice or how we process personal data, please contact:

Data Protection Officer (DPO)
Email: dpo@flysociety.com
Address: Calle Bahia de Pollensa 5, 28042, Madrid, Spain