Politique de confidentialité

Last update: August 26, 2025

This policy describes how FlyPool collects, uses, shares and protects your data when you use our services, including the mobile application, the website, the FlyStorethe program FlyPointsprograms, theAmbassadors and ATL (Ambassador Team Leaders)as well as our current and future associated services (including FlyConnect, FlyInfo, FlyCademy).

By using our Services, you agree to this Policy. If you do not agree, please do not use the Services.

1) Who we are (Data controller)

Data controller
Mathieu Burthey Company LP (acting on behalf of FlyPool)
Address: 23w 23 Woodvale Avenue, Giffnock, Glasgow, G46 6RG, United Kingdom
General contact: contact@flypool.me
Privacy contact / DPO : privacy@flypool.me

EU representative (if any) To be designated according to location and volume of EU users.

Range This Policy applies to all FlyPool users (drivers, passengers, FlyStore buyers, partners, sponsors, advertisers, Ambassadors/ATL, prospects, site visitors).

2) Useful definitions

Services : the app, the website, the FlyStore, carpooling modules, FlyPoints/Ambassador/ATL programs and all related functionalities.
User any individual using a Service (driver, passenger, buyer, ambassador, ATL, etc.).
Partners Businesses/organizations (advertisers, sponsors, FlyStore vendors, mobility partners, hoteliers, insurers, etc.).
Personal data : any information relating to an identified or identifiable natural person (RGPD art. 4).
Treatment any operation on personal data (collection, recording, consultation, etc.).

3) What data do we collect?

3.1 Data you provide directly to us

Create an account Last name, first name, nickname, email, phone, password, country/city, language, profile photo.
User profile : bio, travel preferences (favorite airports, schedules, type of vehicle if driver), interests.
Identity check (if activated): copy of official document (CNI/passport), verification selfie, date of birth.
Payment details payment methods (card, mobile money, wallet), billing/delivery addresses, billing preferences.
Generated content messages (chat), opinions/notations, comments, complaints, attachments.
Games/engagement : participation in challenges, surveys, wheel of chance, confirmation of marketing actions (e.g. "App Store/Play Store reviews").
Ambassador/ATL program Business location (city/airport zone), business reports, pro corporate accounts (optional), pro contact details.

3.2 Automatically collected data

Technical data IP address, cookie identifiers, device type, OS, version, model, language, time zone, crash logs.
Usage data : pages viewed, screens consulted, clicks, session times, acquisition sources, parameters, UTM.
Geolocation data (with your consent): approximate/precise GPS position, airport geofencing, history of route-related waypoints.
Carpooling history requests/proposals, journeys made, distance, duration, itineraries (aggregated/anonymized formats in due course), cancellations.
FlyStore page views, products viewed, shopping baskets, orders, refunds, preferences, wishlists.
FlyPoints : history of points earned/used, reasons for awarding (journeys, challenges, sponsorships, ad viewing, donations), tier status.

3.3 Third-party data

Social networks / SSO connections (if enabled): basic login, verified email, photo (with your consent).
Payment partners payment confirmations, transaction status (pass/fail), payment tokens.
Business partners : promotional codes used, eligibility for offers, validation of services (e.g. insurance, hotel).
Sponsorship & affiliation When a contact invites you, we receive the minimum information required to connect you (e.g. invitation code).
Ambassadors/ATL (via approved internal tools): aggregated feedback from the field (events, B2B leads), without excess or infringement of your rights.

4) For what purposes do we use your data (and on what legal grounds)?

Purpose	Concrete examples	Legal basis
Service delivery	Account creation, carpool reservation/coordination, messaging, FlyStore payment, FlyPoints allocation/use.	Contract
Security & anti-fraud	Identity verification, abuse detection, spam limitation, scam prevention, payment security.	Legitimate interest / Legal obligation
Personalization	Suggested itineraries, airports, FlyStore offers, content/location recommendations.	Legitimate interest / Consent (if cookies/pubs)
Marketing & prospecting	Newsletters, targeted offers, retargeting, push notifications (opt-in), ambassador/ATL operations.	Consent (or legitimate interest with opt-out)
Analytics & enhancement	Audience measurement, product testing, A/B testing, bug diagnostics, ergonomics.	Legitimate interest
FlyPoints program	Calculation/allocation/use of points, management of tiers & rewards, history.	Contract
Partner relations	Advertiser/sponsor contracts, aggregate performance reporting (non-nominative), after-sales service.	Contract / Legitimate interest
Legal obligations	Invoicing, accounting, responses to authorities, consumer law, RGPD/UK-GDPR.	Legal obligation

Note on targeted advertising we only trigger targeted advertising on consent (cookies banner and settings). Without consent, only contextual/essential ads or strictly necessary analyses.

5) Focus: FlyPoints (gains & uses) and data impacts

5.1 Earning FlyPoints (examples)

Journeys points per km/segment (value defined in your scale), airport bonus, rush-hour bonus.
Sponsorship (levels) : Starter → Legend (tiers, bonuses, anti-abuse limits).
Challenges & missions Marathon (5 trips/week), Night Owl (after 10pm), Weekend Warrior, Airport Express, World Tour.
Engagement & mini-games : commercials (advertising consent required)wheel of fortune, polls, blinds reviews.
Donations & impact donations to partner NGOs (conversion €→points according to scale).

Processed data These include account identifiers, activity logs, proof of eligibility (e.g. validation of a journey), pub consents and performance aggregates.
Profiling : yes (necessary to calculate rewards), without an automated decision producing legal effects within the meaning of RGPD art. 22.

5.2 Using FlyPoints

Free eligible wrinkles (according to local regulations).
Buy on FlyStore points only, card only, or hybrid points+card (points = discount).
Gift cards / cash-out (if available locally).
Free trials & partner offers (streaming, VPN, apps...).
Local benefits (cafés, coworking, trade shows, praise, car rentals).
Draws (tickets via points).
NGO donations.

Processed data balance & history, FlyStore baskets, preferences, discount receipts.
Conservation points history kept for as long as the account is active (accounting & anti-fraud), then anonymized.

6) Ambassadors & ATL program (data specificities)

Goals local community animation, evangelism, B2B/B2C partnerships, feedback from the field, user support.
Processed data Pro identity (name, pro photo), coverage area, official channels (team email, pro accounts), activity reports, schedule, leads.
What we don't do no access to data for Ambassadors/ATLs personal users, apart from messages voluntarily exchanged via official channels or approved public events.
Legal basis contract & legitimate interest (network management), strict compliance with the minimization.

7) With whom we share data (categories of recipients)

Technical subcontractors Hosting (cloud/server), CDN, backups, monitoring, emailing/SMS tools, support tools (helpdesk), analytics (proprietary or compliant third-party solutions).
Payments & anti-fraud payment services (cards, wallets, mobile money), anti-fraud tools.
Advertising & ad-tech adserver (e.g. Revive Adserver self-hosted), advertising platforms activated only with consent.
Business partners : advertisers/sponsors (reports aggregated/anonymized), FlyStore merchants (order fulfillment), travel services (insurers, hoteliers).
Consulting & compliance : lawyers, auditors, independent experts (limited and contractually restricted access).
Authorities justice, police, regulators, if the law requires it or to defend our rights.

Never from sale personal data. Sharing is done under DPA (Data Processing Agreements) +. confidentiality clauses.

8) International transfers

When data is transferred outside your country (e.g. EU→R.-U.K./USA/Others):

We use Standard Contractual Clauses (SCC) the European Commission and/or Addenda UK.
We give preference to service providers with adequate guarantees, including certification. EU-US Data Privacy Framework when applicable.
We carry out transfer valuations (TIA) if required.

9) Shelf life

Category	Duration
Account & profile	As long as the account is active; deletion within 30 days of closure (unless required by law).
Identity (KYC)	13 months after verification (or according to local law) then deletion/anonymization.
Payments & invoices	10 years (accounting requirement in many countries).
Route history	24 months (then aggregation/anonymization for analytics).
Messages / support	24 months after ticket closure.
Technical logs	12 to 18 months.
Analytics/marketing cookies	Depending on consent and local recommendations (usually 6-13 months).
FlyPoints (balance/history)	As long as the account is active (necessary for service & evidence), then anonymization.

10) Your rights

Depending on your jurisdiction (EU/UK/Brazil/California, etc.), you have access to :

Right of access (get a copy of your data).
Right of rectification.
Right to erasure (within legal limits).
Right to object (including marketing / marketing profiling).
Right to limitation.
Right to portability (structured format).
Right to withdraw your consent at any time (e.g. cookies, notifications).
Post-mortem instructions (depending on country).

To exercise your rights : privacy@flypool.me (proof of identity may be required).
Recommended principal supervisory authority (if United Kingdom) : ICO. If you live in the EU, please contact your national authority.

11) Safety

Encryption TLS in transit; encryption of sensitive data at rest; passwords chopped & salted.
Access control and environment segmentation; key management; logging and supervision.
Regular testing (code reviews, vulnerability scans, hardening).
Plans incident response & encrypted backups.
Principle of least privilege for staff and subcontractors (including confidentiality agreements).

In the event of a high-risk data breach, we will notify the competent authority and the persons concerned within the legal deadlines.

12) Cookies, SDK & similar technologies

12.1 Typologies

Essentials security, session, anti-fraud, preferences (not subject to consent).
Audience measurement Aggregated analytics (consent required depending on jurisdiction and tool).
Marketing & retargeting pixels, third-party cookies (always opt-in).
Functional chat support, embedded videos, A/B testing (as appropriate, consent).

12.2 Management

Consent banner (granular choice, accept/refuse/parameterize).
Table "Cookies & SDK"You can access the list, purpose, duration and supplier information on the app and website.
Withdrawal/modification at any time via "Settings > Privacy".

13) Automated decisions & profiling

Assigned : route suggestions, driver-passenger matching, FlyStore recommendations, FlyPoints allocation.
No legal effect nor exclusively automated decisions producing significant similar effects within the meaning of art. 22 RGPD.
Rights: request human intervention, express your point of view, challenge a decision.

14) Minors

Our Services are not intended for under 16 in the EU/UK (or 13 years in other countries, depending on local law).
No conscious processing of data from children under the required ages. Detected accounts will be deleted.

15) Communications, notifications & preferences

Transactional e-mails confirmations, receipts, security (always sent).
Marketing newsletters/offers (opt-in, 1-click unsubscribe).
Push only if activated on the device; adjustable at any time.
SMS for security (OTP) or critical notifications; marketing by consent.

16) Relations with partners & advertisers

Advertisers / Sponsors : receive reports aggregates (impressions, clicks) without identifying the user by name.
FlyStore merchants only receive data strictly necessary order processing (identity, address, telephone number, delivery details).
Mobility & travel partners : minimized exchanges (e.g. eligibility for an offer), on a contractual basis and with adequate guarantees.
NGO (donations/impact): aggregated and anonymized statistics, except with explicit consent to communicate your name (e.g. "wall of thanks").

17) Internal tools (Odoo, Mattermost, etc.)

Used for the operational management (support, CRM, accounting, HR).
Access restrictedlogged, and proportionate to the mission.
Data not exported without legal basis and DPA.

18) Retention & anonymization (details)

We anonymize and/or aggregate data for the purposes of the statisticsthe quality of service and the product search.
Anonymization is irreversible (we do not seek to re-identify).
Anonymized data can be stored beyond of the above durations, as they are no longer personal.

19) How to exercise your rights (process)

Send an email to privacy@flypool.me with the subject "Exercise of rights" and specify your request.
We verify your identity (email/OTP, or ID if required).
Response time : 30 days (extendable by 60 days for complex requests, you will be informed).
Secure transmission of response (encrypted file if required).

20) How to delete your account

Via Settings > Account > Delete my account (app) or on the website.
Effects: deletion or anonymization of data not required by law (e.g. invoices).
Visit FlyPoints unused are lost on deletion (see GTC/FlyPoints Program).

21) Changes to the Policy

Any substantial modification will be notified by email and/or via the application, with an updated effective date.
The current version is always available in the app and on the website.

22) Contact us

General questions / support : support@flypool.me
Privacy / DPO : privacy@flypool.me
Postal address Mathieu Burthey Company LP, 23w 23 Woodvale Avenue, Giffnock, Glasgow, G46 6RG, United Kingdom.
Control authority (UK): Information Commissioner's Office (ICO). For the EU, please contact the authority in your country.

Privacy policy