Legal document
Privacy Policy
Last updated: 19 March 2026 · Applicable to the FlyMates mobile app and the FlyMates website.
Article 1 — Data Controller
The controller of personal data collected through the FlyMates application and the associated website is FlyMates, reachable at the following email address: legal@flymates.app.
As data controller, FlyMates undertakes to ensure the lawfulness, fairness and transparency of the processing carried out on your personal data.
Article 2 — Data Collected
In the course of its operation, FlyMates may collect the following categories of data:
2.1 Identification and contact data
- First name and surname
- Email address
- Profile picture (optional)
2.2 Travel data
- Registered flight number (e.g. AF1234)
- Date and time of flight
- Departure and arrival airports
2.3 Profile data
- Languages spoken (optional)
- Countries visited (optional)
- Ratings and reviews left by other users
2.4 Technical data
- Authentication tokens (access token and refresh token)
- Push notification token (for in-app notifications)
- Connection timestamps
Article 3 — Purposes and Legal Bases of Processing
The processing carried out by FlyMates pursues the following purposes, on the corresponding legal bases within the meaning of Article 6 of the GDPR:
| Purpose | Legal basis |
|---|---|
| User account creation and management | Performance of contract (Art. 6.1.b) |
| Connecting passengers on the same flight | Performance of contract (Art. 6.1.b) |
| Instant messaging between passengers | Performance of contract (Art. 6.1.b) |
| Sending verification and security emails | Performance of contract (Art. 6.1.b) |
| Sending push notifications | Consent (Art. 6.1.a) |
| Anonymised usage statistics | Legitimate interest (Art. 6.1.f) |
| Compliance with legal obligations | Legal obligation (Art. 6.1.c) |
Article 4 — Retention Period
FlyMates retains your personal data for the period strictly necessary for the purposes pursued:
- Active account data: for the entire duration of the contractual relationship, then 3 years from the last activity (legitimate interest — prospecting).
- Messaging data: retained while the account is active; deleted upon account deletion.
- Authentication tokens: deleted on logout or expiry.
- Technical logs: 12 rolling months.
- Potential billing data: 10 years (statutory accounting obligation).
Article 5 — Data Recipients
Your personal data is intended for the authorised teams of FlyMates and, to the extent strictly necessary, for our technical sub-processors (hosting provider, email sending service). These sub-processors act solely according to our instructions and are bound by a data processing agreement in accordance with Article 28 of the GDPR.
We do not sell, rent, or transfer your personal data to third parties for commercial purposes.
Your data may also be disclosed to the competent authorities upon judicial or legal request.
Article 6 — Transfers Outside the European Union
FlyMates undertakes to process your data within the European Union or in countries benefiting from an adequacy decision by the European Commission. In the event of a transfer to a third country, appropriate safeguards (standard contractual clauses, certification mechanisms) will be put in place in accordance with Chapter V of the GDPR.
Article 7 — Your Rights
In accordance with the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): obtain confirmation of the processing of your data and obtain a copy.
- Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected.
- Right to erasure (Art. 17 GDPR): obtain deletion of your data in the cases provided for by law.
- Right to restriction of processing (Art. 18 GDPR): request a temporary suspension of processing.
- Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR): object to processing based on legitimate interest.
- Right to withdraw consent: at any time, for processing based on your consent.
- Right to define post-mortem instructions: regarding the fate of your data after your death.
To exercise these rights, send your request to: legal@flymates.app. We undertake to respond within one (1) month of receiving your request (this period may be extended by two months in the case of a complex or multiple request).
If you are not satisfied with our response, you have the right to lodge a complaint with the French data protection authority (CNIL) — www.cnil.fr.
Article 8 — Data Security
FlyMates implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: password encryption using secure hashing (bcrypt), communication via HTTPS protocol, access management based on the principle of least privilege, and systematic session revocation upon sensitive account changes (email change, password reset).
In the event of a data breach likely to result in a risk to your rights and freedoms, FlyMates undertakes to notify the competent authority within 72 hours and to inform you as soon as possible if the risk is high.
Article 9 — Cookies and Analytics
The FlyMates mobile app does not place cookies. The website does not use any advertising or profiling cookies.
The website uses Umami Analytics, a privacy-friendly audience measurement tool. Umami places no cookies, collects no personally identifiable data, and performs no cross-site tracking. The data collected (pages visited, traffic source, device type) is fully anonymised and cannot be used to identify you. This processing is based on our legitimate interest in understanding the use of our website (Art. 6.1.f GDPR). No consent is required.
Article 10 — Policy Updates
This Privacy Policy may be updated to reflect legal, regulatory or functional developments. Any material change will be notified to you by email or via an in-app notification at least thirty (30) days before it takes effect. The version in force is the one published on this page, dated at the top of the document.