Privacy Policy

What data we collect

FairFares collects only what is necessary to provide the service. When you create an account we store your email address and hashed password. If you set travel preferences (home airport, budget, preferred destinations) those are stored linked to your account. If you subscribe to a paid plan, payment details are handled entirely by Stripe — we store only a subscription status and a Stripe customer ID.

Legal basis for processing

We process personal data on the following legal bases under GDPR Article 6:

• Contract — to deliver the service you signed up for.
• Legitimate interests — to detect fraud, prevent abuse, and improve reliability.
• Consent — for marketing and deal-alert emails (you may withdraw at any time via the unsubscribe link or in your account settings).

How we use your data

Your email is used to send deal alerts if you opt in, and for account recovery. Your preferences are used solely to personalise the deals you see. We do not sell, rent, or share your personal data with third parties for marketing purposes.

Cookies and tracking

We use the following cookies:

• Session cookie — keeps you logged in (essential; expires when you close the browser).
• Preference cookie — remembers your home airport and currency (functional; 1-year expiry).
• Analytics — privacy-respecting, cookieless page-view counting. No cross-site tracking cookies, no ad-network pixels, no Google Analytics.

Data processors

We use the following sub-processors to deliver the service. Each processor is bound by a Data Processing Agreement (DPA):

• Vercel — hosting and edge delivery. Data may transit EU/US servers. Privacy policy: vercel.com/legal/privacy-policy.
• Supabase — database and authentication. Data stored in eu-west-1 (Ireland). Privacy policy: supabase.com/privacy.
• Resend — transactional email. Processes your email address to deliver alerts and password-reset emails. Privacy policy: resend.com/legal/privacy-policy.
• Stripe — payment processing for paid subscriptions. Stripe is an independent controller for payment data. Privacy policy: stripe.com/privacy.

Third-party links

Deal cards link to Google Flights so you can book directly with the airline. Once you leave FairFares, the privacy policy of that third-party site applies. We have no affiliate relationship and receive no commission from bookings.

Data retention

Account data is kept for as long as your account is active. You can delete your account at any time, which permanently removes your personal data from our systems within 30 days. Anonymised, aggregated analytics data may be retained indefinitely.

Your rights under GDPR

As a data subject in the EU/EEA you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data ("right to be forgotten").
• Right to data portability — receive your data in a structured, machine-readable format (JSON).
• Right to restriction — ask us to pause processing while a dispute is resolved.
• Right to object — object to processing based on our legitimate interests.
• Right to withdraw consent — unsubscribe from emails at any time without affecting your account.

How to exercise your rights

Email privacy@fairfaresapp.com with the subject line "Data Subject Request" and describe what you would like us to do. We will respond within 30 days. If you believe we are processing your data unlawfully you have the right to lodge a complaint with your national supervisory authority (e.g. the Dutch Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl).

Data protection contact

FairFares does not have a legally-required DPO, but all privacy questions are handled personally by the founder. You can reach us at privacy@fairfaresapp.com. We aim to respond within 5 business days.

Security

All data is transmitted over HTTPS. Passwords are hashed using bcrypt before storage. Row-level security (RLS) is enabled in Supabase so each user can only access their own data. We apply the principle of least privilege — automated pipelines have no access to user data.

Changes to this policy

If we make material changes we will notify registered users by email at least 14 days in advance. The date of the last update appears at the bottom of this page.