Privacy Policy
Your privacy is important to us. Learn how we protect your data.
Last updated: March 2026
Table of Contents
We want you to feel comfortable on our website at www.flysmartdeals.com and not have to worry about the security of your data. That is why data protection is an important part of our corporate philosophy.
In this Privacy Policy, you will find all the information about which Personal Data we collect and process and for what purpose. Equally, we will also inform you of your data protection rights and how you can assert them.
General Principles
What is Personal Data?
Personal Data is “any information relating to an identified or identifiable natural person.” This includes, for example, name or address data, telephone number, mobile number, or online identifiers such as your device ID and your IP address.
What is Processing?
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means. The term is broad and covers virtually any handling of data.
Who is Responsible for Data Processing?
The responsible party for data processing is FlySmartDeals Ltd, 128 City Road, London, United Kingdom, EC1V 2NX (“FlySmartDeals”, “we”, “us”, “our”). If you have any questions or if you wish to exercise your rights, please contact us by email using [email protected].
ICO Registration Number: ZC109017
What Law Applies?
Our use of your Personal Data is subject to the UK's Data Protection Act (“DPA”), and the EU's General Data Protection Regulation (“GDPR”), and of course we process your Personal Data accordingly.
Legal Bases for Processing
In accordance with the DPA and the GDPR, we have to have at least one of the following legal bases to process your Personal Data: a) you have given your consent, b) the data is necessary for the fulfilment of a contract / pre-contractual measures, c) the data is necessary for the fulfilment of a legal obligation, or d) the data is necessary to protect our legitimate interests, provided that your interests are not overridden.
Competent Data Protection Authority
The supervisory authority in the UK is the Information Commissioner's Office (ICO). The ICO is located at Wycliffe House, Water Ln, Wilmslow SK9 5AF, UK or online at www.ico.org.uk. However, we would appreciate the opportunity to address your concerns before you approach the ICO or any other supervisory authority.
Data Retention Overview
We process and store your Personal Data only for the period of time required to achieve the respective processing purpose or for as long as a legal retention period exists. Once the purpose has been achieved or the retention period has expired, the corresponding data is routinely deleted. Specific retention periods are detailed in the Data Retention Periods section below.
What Personal Data Do We Process?
Technical Data
When you access our website, some access data is recorded automatically and stored in a log file on our website's server. This includes:
- The IP address of your computer
- The date and time of your access
- The name and URL of the accessed file
- The browser used
- The amount of bytes transferred
- The status of the page request
- The session ID
- The referrer URL
The legal basis for processing is our legitimate interest.
Contacting Us
You can contact us in various ways and data is always collected in the process. You provide us with most of the data that we process when you contact us such as your name and email address. This data is collected and processed exclusively for the purpose of contacting you and processing your request and then deleted again, provided that there is no legal obligation to retain it.
Register for an Account
It is possible for you to register for an account. For this purpose, you can choose a password and you provide us with your full Name, email address and password. Alternatively, you can sign in using the convenient sign-in feature of Google or Facebook. If you register using the Google or Facebook Connect feature, you agree to the relevant terms and conditions and consent to certain data from your respective profile being transferred to us.
Booking with Us
We process various data as part of the provision of our services, bookings and for the initiation and fulfilment of the contractual relationship between you and us. If you have commissioned us to provide a booking service, we process your data (if provided: Name, contact details, address, and all travel and booking information) exclusively for the purpose of processing and handling the contractual relationship. This includes our appropriate advice and support, correspondence with you, invoicing and the fulfilment of our accounting and tax obligations.
Fonts
We use Google Fonts on our website to display external fonts. To enable the display of certain fonts on our website, a connection to a Google server is established when our website is accessed. This represents a legitimate interest.
Third-Party Data Processors
We work with carefully selected third-party service providers who process personal data on our behalf. Each processor is bound by a Data Processing Agreement (DPA) and is required to handle your data in accordance with the GDPR and UK DPA.
Payment Processing
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing, fraud prevention | Name, email, card details, billing address, IP address | US (EU SCCs) |
Travel Service Providers (GDS & Aggregators)
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Duffel | Flight search, booking, and ticketing | Passenger names, dates of birth, passport/ID details, contact information | UK/EU |
| Amadeus | Flight and hotel search, booking | Passenger names, travel dates, destination details | EU (Madrid) |
| Sabre | Flight search and booking (GDS) | Passenger names, dates of birth, passport/ID details, contact information | US (EU SCCs) |
Communications
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| SMTP2GO | Transactional email delivery (booking confirmations, password resets) | Email address, name, email content | NZ/US (EU SCCs) |
Infrastructure & Security
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Cloudflare | CDN, DDoS protection, DNS | IP address, request headers, traffic metadata | Global (EU SCCs) |
Analytics & Performance (Consent Required)
The following providers are only activated after you have given your explicit consent via our cookie banner:
| Provider | Purpose | Consent Category | Location |
|---|---|---|---|
| Google Analytics 4 / GTM | Website analytics, conversion tracking | Analytics | US (EU SCCs) |
| PostHog | Product analytics, session replay, feature flags | Analytics | EU (Frankfurt) |
| Microsoft Clarity | Heatmaps, session recordings, UX analysis | Analytics | US (EU SCCs) |
| Meta Pixel | Advertising attribution, remarketing | Marketing | US (EU SCCs) |
| TikTok Pixel | Advertising attribution, remarketing | Marketing | US/Singapore (EU SCCs) |
Data Retention Periods
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following table sets out our standard retention periods:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account information (name, email, password hash) | Duration of account + 2 years after deletion request | Contract performance |
| Booking and transaction records | 7 years from transaction date | Legal obligation (UK tax/accounting law) |
| Payment card data (held by Stripe) | As per Stripe's retention policy; we do not store card numbers | Contract performance |
| Passport / ID details (for bookings) | 90 days after travel completion | Contract performance |
| Customer support correspondence | 3 years from last interaction | Legitimate interest |
| Cookie consent preferences | 13 months | Consent / legal obligation |
| Analytics data (aggregated) | 26 months | Consent |
| Server access logs | 90 days | Legitimate interest (security) |
| Marketing consent records | Duration of consent + 3 years after withdrawal | Legal obligation (proof of consent) |
| Wallet & loyalty points | Duration of account + 2 years | Contract performance |
When retention periods expire, data is either securely deleted or anonymised so that it can no longer be associated with you. You may request earlier deletion by exercising your right to erasure, subject to any overriding legal obligations we may have.
Marketing
Insofar as you have given us your separate consent to process your data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.
Every directly addressed marketing sent or made by us or on our behalf will include a means by which you may unsubscribe or opt out.
Your Rights and Privileges
Under the UK DPA and GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days.
Right of Access (Article 15)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to request a copy of that data. You can also download your data from your account profile page.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and to have incomplete data completed. You can update most of your information directly in your account settings.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, you withdraw consent, or you object to processing. Note that we may need to retain certain data for legal obligations (e.g., financial records for 7 years).
Right to Restrict Processing (Article 18)
You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to have it transmitted to another controller where technically feasible.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. However, we would appreciate the chance to address your concerns first.
Withdrawing Your Consent
You can withdraw consents you have given at any time by contacting us at [email protected]. For cookie consent, you can update your preferences at any time by clicking “Cookie Settings” in the website footer. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
What We Do Not Do
- We do not request Personal Data from minors and children
- We do not use Automated decision-making including profiling
- We do not sell your Personal Data
Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy and our data protection practices. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO using the details below:
- Name: Diaa Mohamed
- Email: [email protected]
- Address: FlySmartDeals Ltd, 128 City Road, London, EC1V 2NX, United Kingdom
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
Does This Policy Change?
We may update our Privacy Policy from time to time. This might be for a number of reasons, such as to reflect a change in the law or to accommodate a change in our business practices. We recommend that you check here periodically for any changes to our Privacy Policy.
Contact Us
If you have any queries as regards the collection, processing or use of your information, we are looking forward to hearing from you.
- Company: FlySmartDeals Ltd
- Address: 128 City Road, London, EC1V 2NX, United Kingdom
- Data Protection Officer: Diaa Mohamed
- Email: [email protected]
- General Enquiries: [email protected]
- ICO Registration: ZC109017
Social Media
We are present on social media on the basis of our legitimate interest (Facebook, Instagram, X (formerly Twitter), Pinterest and YouTube (Google)). If you contact or connect with us via social media, we and the relevant social media platform are jointly responsible for the processing of your data.
Your data may also be processed for market research and advertising purposes. For example, usage profiles can be created from your usage behaviour and the resulting interests.