Privacy Policy

Last updated: 30 May 2026

1. Who we are

Flightscan is a trading name of 786 Infinite Ltd, a company registered in England and Wales (Company No. 12533644, VAT No. 516 0068 22), with its registered office at 128 City Road, London EC1V 2NX. References to “we”, “our” or “us” in this policy mean 786 Infinite Ltd.

Flightscan is the data controller for personal data collected through flightscan.co.uk. You can contact us at info@flightscan.co.uk.

We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZC130465.

2. What data we collect

When you search for or book a flight, we collect:

• Search data: origin, destination, dates, cabin class, passenger count.
• Passenger details: full name, date of birth, title, and where required by the airline, passport or identity document details.
• Contact details: email address and, if provided, phone number.
• Payment details: card information is collected directly by our payment processor (Stripe) through a secure hosted form. We do not see, store or have access to your full card number at any time.
• Booking records: booking reference, flight details, amounts paid, extras purchased (seats, bags).
• Technical data: IP address, browser type, device information, and error diagnostics collected automatically for security and site reliability.

We also collect:

• Statistical or aggregated information. Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from personal data. For example, we may aggregate personal data to calculate the percentage of users accessing a specific feature.
• Technical information. Technical information includes information about your internet connection and usage details about your interactions with the services, such as clickstream information to, through, and from our services (including date and time), products that you view or search for; page response times, download errors, length of your visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), or methods used to browse away from a page.

If we combine or connect non-personal statistical or technical data with personal data so that it directly or indirectly identifies an individual, we treat the combined information as personal information.

Our services are not directed at children under the age of 16. Bookings on behalf of minors must be made by a parent or legal guardian, who provides the necessary personal data and consents to its processing on the child’s behalf. If we learn we have inadvertently collected personal data directly from a child under 16 without parental consent, we will delete that information.

3. Why we use your data and our legal basis

• To process your booking (contract): we share passenger details with airlines and Duffel to issue your ticket, and payment data with Stripe to collect payment.
• To send booking confirmations and manage your booking (contract): we send transactional emails about your booking and allow you to look up your booking via the Manage Booking page.
• To comply with legal obligations (legal obligation): we retain transaction records for tax, accounting and consumer protection purposes.
• To secure our site and prevent fraud (legitimate interest): we use rate limiting, error monitoring and security logging to protect customers and our service.

We do not send marketing emails and do not use your data for advertising or profiling.

4. Who we share your data with

We only share your data with service providers who help us run Flightscan. These are:

• Duffel Technology Limited — flight search, booking and ticket issuance. UK-based. No international transfer.
• Stripe Payments Europe Ltd — our payment processor for card, Apple Pay, Google Pay and Pay by Bank transactions. Ireland-based. Transfers outside the UK/EEA, where Stripe’s global infrastructure is used, are protected by the UK Extension to the EU–US Data Privacy Framework (Stripe is DPF-certified) and Stripe’s UK IDTA-compliant data processing addendum. We do not see or store full card numbers.
• Airlines — the airline(s) operating your flight receive the passenger details necessary to issue your ticket. Data is transferred to airline systems worldwide; the legal basis is contractual necessity.
• Resend — sends transactional booking confirmation emails on our behalf. US-based. Transfers are protected by the UK Extension to the EU–US Data Privacy Framework (where Resend is DPF-certified) or, where applicable, the UK International Data Transfer Agreement (UK IDTA).
• Vercel Inc. — hosts the Flightscan website and API, and stores backup snapshots of booking records in Vercel Blob storage. US-headquartered with a global edge network. Transfers are protected by the UK Extension to the EU–US Data Privacy Framework (Vercel is DPF-certified) and Vercel’s UK IDTA-compliant data processing addendum.
• Upstash — provides rate-limiting infrastructure and stores booking records (order ID, booking reference, customer email, route, charge amount, booking status). EU region. No international transfer outside UK/EU.
• Sentry (Functional Software Inc.) — error monitoring and diagnostics. US-based. Transfers are protected by the UK Extension to the EU–US Data Privacy Framework (Sentry is DPF-certified) and Sentry’s UK IDTA-compliant data processing addendum. We have configured Sentry with a reduced sampling rate for PECR compliance; Session Replay is disabled.
• Zoho Corporation B.V. (Zoho Mail) — provides hosted email infrastructure for our info@flightscan.co.uk inbox, where customer support enquiries and Subject Access Requests are received and replied to. EU data centre (Amsterdam). No international transfer outside UK/EU.

We do not sell your personal data to anyone, and we do not share it with advertisers or data brokers.

5. How long we keep your data

We retain booking records and transaction data for 6 years after the date of your booking, in line with HMRC record-keeping requirements. Technical logs (error diagnostics, rate-limit data) are kept for up to 90 days. Search queries that do not result in a booking are not retained beyond the life of your browser session.

6. Your rights and how to exercise them

Under UK GDPR and the Data (Use and Access) Act 2025 you have the right to:

• access the personal data we hold about you (Subject Access Request);
• ask us to correct inaccurate data;
• ask us to delete your data, where we no longer need it for a lawful purpose;
• ask us to restrict or object to how we use your data;
• receive a copy of your data in a portable format;
• withdraw consent at any time where we rely on it (we currently do not rely on consent for any processing).

To submit a Subject Access Request or exercise any of the above rights: email info@flightscan.co.uk with the subject line “Data Request”. Please include your name and booking reference if applicable. We will respond within one month, applying the “reasonable and proportionate” standard set out in the Data (Use and Access) Act 2025.

7. Data security and breach notification

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss or disclosure. Payment card data is never transmitted to or stored on our servers — it is handled entirely within Stripe’s PCI-DSS-compliant infrastructure.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

8. Complaints

Complaints to us: if you are unhappy with how we have handled your data, please contact us first at info@flightscan.co.uk. Under the Data (Use and Access) Act 2025 you have the right to complain directly to us about our data handling. We will acknowledge your complaint within 30 days.

Complaints to the ICO:you also have the right to complain to the UK Information Commissioner’s Office at any time:

9. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top of the page will always reflect the most recent version.

See also: Terms & Conditions · Cookie Notice