Privacy Policy

This Privacy Policy explains how LUX Services LLC ("Company," "we," "our," "us"), the operator of FlightKitten ("Service"), collects, uses, shares, retains, and protects your personal information. By using the Service, you consent to the practices described in this policy. If you do not agree with this Privacy Policy, you must immediately stop using the Service and delete your account.

1. Information We Collect

1.1 Information You Provide Directly

• Account information: Email address, display name, and password (or OAuth tokens) when you create an account through our authentication provider (Supabase Auth).
• Watchlist preferences: Origin and destination airports, travel dates, date ranges and flexibility, target prices, passenger counts, and other search preferences you configure when creating watchlists.
• Billing information: Payment details (credit/debit card numbers, billing addresses) are collected and processed entirely by our payment processor, Stripe, Inc. We never receive, access, store, or process your full card numbers or financial account details on our servers. We receive only a record of your subscription status, plan type, billing dates, and transaction history from Stripe.
• Communications: Information you provide when contacting our support team through the contact form or via email, including message content, topic category, and any attachments you choose to include.
• Feedback and surveys: Any feedback, suggestions, reviews, or survey responses you voluntarily submit.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, watchlist creation and modification activity, scan history, alert interactions (opens, clicks), and timestamps of all interactions.
• Device and browser data: IP address (used for security and abuse prevention, not for advertising), browser type and version, operating system, device type, screen resolution, language preference, time zone, and referring URLs.
• Server logs: Our hosting provider (Vercel) automatically collects server access logs including IP addresses, request timestamps, URLs accessed, HTTP methods, response codes, and response times. These logs are used exclusively for security monitoring, error diagnosis, abuse prevention, and performance optimization. They are not used for marketing or advertising.
• Authentication tokens: Encrypted session tokens and cookies necessary for maintaining your authenticated state across requests.

1.3 Information We Do NOT Collect

We believe in data minimalism. We explicitly do not collect:

• Credit card numbers, bank account details, or financial account information (handled entirely by Stripe).
• Precise geolocation data (GPS coordinates, Bluetooth, or Wi-Fi positioning).
• Biometric data (fingerprints, facial recognition, voice prints).
• Social media account information or social graph data.
• Contacts, address books, or phone numbers.
• Browsing history on other websites.
• We do not use advertising trackers, social media pixels, cross-site tracking technologies, browser fingerprinting, or behavioral targeting technologies of any kind.

2. How We Use Your Information

We use the information we collect solely for the following purposes:

• Service delivery: Providing, maintaining, and improving the Service, including scanning for flight prices based on your watchlist configurations and sending deal alerts when prices match your criteria.
• Payment processing: Processing your subscription payments, managing billing cycles, and maintaining accurate account status through our integration with Stripe.
• Transactional communications: Sending essential transactional emails including account verification, password resets, deal alerts, subscription confirmations, payment receipts, and trial expiration notices.
• Customer support: Responding to your inquiries, support requests, and feedback in a timely manner.
• Service improvement: Monitoring and analyzing aggregate usage patterns to improve performance, reliability, feature development, and user experience. This analysis uses aggregated and anonymized data.
• Security: Detecting, preventing, and addressing fraud, abuse, unauthorized access, security threats, and technical issues.
• Aggregate statistics: Generating aggregate, de-identified statistics about Service usage for internal business analysis.
• Legal compliance: Complying with legal obligations, enforcing our Terms of Service, and protecting our rights and the rights of our users.

We do NOT use your data for: Targeted advertising, behavioral profiling, selling to data brokers, political profiling, credit scoring, or any purpose other than providing and improving the Service.

3. How We Share Your Information

We do not sell, rent, lease, trade, or otherwise commercially transfer your personal information to third parties for marketing, advertising, or any other commercial purpose. Period.

We share your data only in the following strictly limited, necessary circumstances:

• Payment processing (Stripe): Stripe, Inc. processes your payment information under their own Privacy Policy. Stripe is PCI-DSS Level 1 certified — the highest level of payment security compliance.
• Infrastructure providers: We use Vercel (hosting and serverless infrastructure), Supabase (database, authentication, and real-time subscriptions), and Resend (transactional email delivery). These providers process limited data on our behalf under data processing agreements (DPAs) and are contractually obligated to protect your data and use it only for providing their services to us.
• Flight data providers: To scan flight prices, we send search queries containing your watchlist parameters (airport codes, travel dates, passenger counts) to third-party flight data APIs. These queries do not include your name, email address, account ID, IP address, or any other personally identifiable information.
• Legal requirements: We may disclose information only if required to do so by applicable law, valid legal process, regulation, subpoena, court order, or governmental request, and only to the minimum extent required.
• Business transfers: In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of our assets, user data may be among the assets transferred. We will make reasonable efforts to notify affected users via email before your information becomes subject to a materially different privacy policy, and will provide you with the opportunity to delete your account before any such transfer.
• Protection of rights: We may share information when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others; investigate fraud or security concerns; or respond to emergencies.

4. Data Retention & Deletion

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy. Specifically:

• Account data: Retained for the duration of your active account. Upon account deletion, personal data is permanently deleted or irreversibly anonymized within 30 calendar days.
• Watchlist and scan history: Retained for the duration of your subscription. Upon account deletion, this data is deleted or permanently anonymized within 30 days.
• Billing records: Retained as required by applicable tax, accounting, and financial reporting regulations (typically up to 7 years). These records are primarily maintained by Stripe.
• Server logs: Automatically purged after 90 days.
• Support communications: Retained for up to 2 years after resolution for quality assurance and legal purposes, then permanently deleted.
• Anonymous/aggregate data: May be retained indefinitely as it cannot be used to identify you.

When you delete your account, we initiate complete deletion of your personal data within 30 days, except where retention is legally required. You may request account deletion at any time from your account settings or by emailing support@flightkitten.com.

5. Aggregate & Anonymized Data

We may create aggregate, de-identified, or anonymized data from your personal information by removing all identifying attributes. We may use and share such anonymized data for any lawful purpose, including analyzing usage trends, improving the Service, generating industry research, and business development. This data can never be used to re-identify you.

6. Cookies & Tracking Technologies

We use a minimal set of cookies, strictly limited to what is necessary for the Service to function:

• Essential/authentication cookies: Required for login, session management, CSRF protection, and security. These are first-party cookies set by our domain only. They cannot be disabled without losing the ability to use the Service.
• Preference cookies: Remember your settings, language preferences, and UI state (e.g., collapsed panels, selected filters). First-party only.

We do NOT use: advertising cookies, third-party tracking cookies, social media pixels (Facebook, TikTok, etc.), third-party analytics cookies (Google Analytics, etc.), cross-site tracking technologies, browser fingerprinting, canvas fingerprinting, or any retargeting/remarketing technologies.

You can manage cookies through your browser settings. Blocking essential cookies may prevent you from logging in or using core features.

7. Do Not Track (DNT) Signals

Some web browsers transmit "Do Not Track" (DNT) signals. While there is currently no universal industry standard for recognizing or responding to DNT signals, we want to be clear: we do not engage in cross-site tracking, serve targeted advertising, or share data with ad networks regardless of your browser's DNT setting. Your privacy is protected by default.

8. Data Security

We implement industry-standard and commercially reasonable security measures to protect your personal information, including but not limited to:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ / SSL.
• Encrypted database storage: Personal data is stored in encrypted databases managed by Supabase with row-level security (RLS) policies ensuring users can only access their own data.
• Secure authentication: Authentication is handled by Supabase Auth using industry-standard protocols (bcrypt password hashing, JWT tokens, secure session management).
• Payment security: All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified — the highest level of payment industry security compliance. We never handle, see, or store your card details.
• Access controls: Internal access to production data is strictly limited to authorized personnel on a need-to-know basis.
• Infrastructure security: Our hosting provider (Vercel) maintains SOC 2 Type II compliance and provides DDoS protection, WAF, and automated threat detection.

However, no method of electronic transmission or storage is 100% secure. We cannot and do not guarantee absolute security. You use the Service and transmit data at your own risk.

9. Data Breach Notification

In the unlikely event of a data breach that compromises your personal information, we will:

• Take immediate steps to contain and remediate the breach.
• Investigate the nature, scope, and impact of the incident.
• Notify affected users via email within 72 hours of becoming aware of the breach, where feasible.
• Notify applicable data protection authorities as required by law (e.g., within 72 hours under GDPR).
• Provide clear information about what data was affected, what actions we're taking, and what steps you should take to protect yourself.

10. Third-Party Links & Services

The Service may contain links to third-party websites, services, and platforms (including airlines and booking sites). We have no control over and assume no responsibility for the content, privacy policies, data practices, or security of any third-party sites. Clicking on a link to a third-party site does not mean we endorse or are affiliated with that site. We strongly encourage you to review the privacy policies of any third-party sites you visit before providing any personal information.

11. Email Communications

We may send you the following categories of email communications:

• Essential transactional emails: Account verification, password resets, subscription confirmations, payment receipts, trial expiration notices, and account security alerts. These are required for the Service to function and cannot be opted out of while maintaining an active account.
• Deal alerts: Price drop notifications and deal alerts based on your watchlist configurations. You can enable, disable, or adjust the frequency of these from your account settings or watchlist configurations.
• Route briefings: Daily or weekly market briefings for your watchlists. Frequency is configurable from your settings.
• Important service updates: Notices about material changes to our Service, Terms, Privacy Policy, or security-related matters. These are sent infrequently and only when genuinely important.

We do NOT send: marketing emails, promotional newsletters, partner offers, sponsored content, third-party promotions, or any unsolicited commercial communications. All emails are transactional in nature.

All email communications are delivered through Resend, our transactional email provider, from the @flightkitten.com domain.

12. Your Rights & How to Exercise Them

12.1 Rights for All Users (Worldwide)

Regardless of your location, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate, incomplete, or outdated personal data.
• Deletion: Delete your account and all associated personal data via account settings or by contacting us. Deletion is permanent and irreversible.
• Opt-out: Opt out of non-essential communications (deal alerts, briefings) from your settings.
• Data portability: Request export of your data in a common, machine-readable format (JSON or CSV) upon written request.
• Restrict processing: Request that we limit how we process your data in certain circumstances.

To exercise any of these rights, email us at support@flightkitten.com with the subject line "Privacy Rights Request." We will verify your identity and respond to verified requests within 30 calendar days. Complex requests may take up to 45 days with notice.

12.2 Additional Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation:

• Legal basis for processing: We process your data based on: (a) contract performance (providing the Service you subscribed to); (b) legitimate interests (security, fraud prevention, service improvement); and (c) your consent (where applicable). You may withdraw consent at any time.
• Right to object: Object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
• Right to lodge a complaint: File a complaint with your local data protection authority (DPA) if you believe we have violated your data protection rights.
• Data Protection Officer: For GDPR inquiries, contact us at privacy@flightkitten.com.

12.3 Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and the California Privacy Rights Act, California residents have the right to:

• Know: Know what personal information is collected, used, shared, or sold, and the categories of sources from which it is collected.
• Delete: Request deletion of personal information we have collected.
• Correct: Request correction of inaccurate personal information.
• Opt out of sale/sharing: We do NOT sell personal information. We do NOT share personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Non-discrimination: Exercise your privacy rights without discrimination in pricing or service levels.
• Limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA.

California residents may submit requests by emailing support@flightkitten.com with the subject line "CCPA Request." We will verify your identity and respond within 45 calendar days as required by law.

13. International Data Transfers

Your information is processed and stored in the United States, where our servers and primary service providers are located. If you are accessing the Service from outside the United States (including from the EEA, UK, or other jurisdictions with data protection laws that differ from US law), please be aware that your information will be transferred to, stored, and processed in the United States.

By using the Service, you explicitly consent to such international transfers. For EEA and UK residents, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for cross-border data transfers. We also ensure that our sub-processors provide appropriate data protection safeguards.

14. Children's Privacy

The Service is not directed to, designed for, or intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction, whichever is higher). We do not knowingly collect, solicit, or process personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will take immediate steps to delete such information and terminate the associated account. If you believe a child has provided us with personal data, please contact us immediately at support@flightkitten.com.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last updated" date at the top of this page indicates when this policy was last revised.

For material changes that significantly affect how we handle your personal information, we will provide prominent notice through one or more of the following: posting the updated policy on this page with a clear change summary, sending an email notification to the address associated with your account, or displaying an in-app notification. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

16. Data Processing Addendum for Business Users

If you are using the Service on behalf of an organization that requires a formal Data Processing Agreement (DPA) or Data Processing Addendum, please contact us at privacy@flightkitten.com to discuss and execute appropriate contractual safeguards.