Privacy Policy
Last updated: April 21, 2026
1. Data controller
Francesco Antonio Sessa
Milan (MI) — Italy
VAT: IT 11722650964
Email: privacy@flightguard.app
2. Data collected
2.1 Data provided by the user
- Email address — collected only if the user activates an alert. Used exclusively to send notifications relating to the selected flight.
- Flight number and date — used to calculate the risk score. They are not personal data in themselves, but if linked to an email they form part of your alert subscription.
2.2 Data collected automatically
- IP address — used exclusively for rate limiting (max 5 requests/hour). It is not stored permanently: the counter expires after 1 hour.
- Navigation data — collected in anonymous, aggregated form via Umami Analytics (see Cookie Policy). Umami does not use cookies and does not track the user across sessions.
- Interactions with alert emails — see section 7.
- Expo Push Token — if you use the mobile app (iOS/Android) and enable push notifications from the settings, we generate an anonymous device identifier via Expo (ExpoPushToken[...]). The token does not contain personal or contact data: it only serves to deliver push notifications to your specific device. It is associated with the alert email, the platform (iOS/Android) and the IANA timezone (e.g.
Europe/Rome) in order to respect quiet hours. Revocable at any time from the "Push notifications" toggle in the app settings.
3. Purposes of processing
- Calculation of the risk score for the requested flight
- Sending of email alerts (only if requested by the user)
- Rate limiting and security of the service
- Monitoring the status of the flights subject to alerts (delays/cancellations), also after the flight date, to improve the accuracy of the model
- Aggregated and anonymous analytics to improve the service
4. Legal basis
Processing is based on the user's consent (art. 6.1.a GDPR) for the alert subscription and the sending of emails, and on legitimate interest (art. 6.1.f GDPR) for rate limiting, security of the service and aggregated analytics.
5. Data retention
- Alert subscription (email + flight number + date) — retained as long as the alert is active and, in any case, no longer than 90 days after the flight date (to measure the flight outcome). It is deleted at any time at the user's request (see section 8).
- Operational record of the alert — retained in our key-value store for a maximum of 30 days from creation, with automatic expiry.
- Tracking of clicks on links in emails — linked to the alert ID, retained until the alert is deleted.
- Expo Push Token — retained as long as the device is active. It is immediately marked as revoked if: (a) the user disables notifications from the app; (b) the operating system reports the token as no longer valid (app uninstall, permission revocation); (c) the user requests it via email. Tokens revoked more than 30 days ago are deleted.
- Rate limiting — IP counter retained for 1 hour.
- Flight outcome (delay/cancellation) — objective data linked to the flight number and date, do not contain email or other personal identifiers; retained indefinitely for statistical analysis.
6. Sharing with third parties
Data is not sold and we do not share your email address or other contact data with third parties for direct marketing purposes. To provide the service we use the following data processors (art. 28 GDPR):
| Provider | Purpose | Location / Transfer |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, database (D1), key-value store (KV) | EU (WEUR region) |
| Resend (Resend Technologies, Inc.) | Sending of alert emails (receives your email address and the content of the email) | United States — transfer covered by EU Standard Contractual Clauses |
| Anthropic PBC | Generation of the natural-language explanation of the risk score (receives flight number, date, score and aggregated data on the risk signals — not the email address) | United States — transfer covered by EU Standard Contractual Clauses |
| Umami Analytics (self-hosted) | Anonymous traffic analysis, without cookies or persistent user identifiers | EU (servers managed directly by the controller) |
| Expo (650 Industries, Inc.) | Push notification service (receives your device token, the iOS/Android platform, and the text of the notification — not the email address). The token is an anonymous device identifier. | United States — transfer covered by EU Standard Contractual Clauses |
| Apple Inc. (APNs) and Google LLC (FCM) | Native OS channels for delivering push notifications: Expo forwards the already-prepared content to the respective system channel. They do not introduce new processors beyond those already covered by the use of iOS/Android. | United States — covered by the iOS/Android terms |
FlightAware is used as a public source of flight information (flight number, schedules, status): it receives no personal data of the user.
With your consent to marketing cookies, the affiliate partner Travelpayouts (independent data controller) may collect data via third-party cookies for affiliate conversion attribution and remarketing. This processing takes place only with prior consent and is governed by the Travelpayouts privacy policy; see also the Cookie Policy.
7. Tracking of alert emails
The alert emails sent by FlightGuard contain:
- Open-tracking pixel — an invisible image served from our domain (
/pixel) that tells us when the email is opened. The event is recorded in aggregated, anonymous form via Umami, without permanently storing the IP address. - Tracked redirect links (
/r/<slug>) — the links in the emails go through an endpoint that records the click, linking it to your alert ID, in order to measure which content is useful. The click log is deleted together with the alert. - UTM parameters — the links to the site contain parameters
utm_source=flightguard&utm_medium=emailto identify the traffic channel in aggregated analytics.
To disable tracking you can delete the alert (see section 8): the deletion also removes all the associated click history.
8. User rights
Pursuant to articles 15-22 of the GDPR you have the right to:
- Access your data
- Request its rectification or deletion
- Restrict or object to the processing
- Request portability
- Withdraw consent at any time
- Lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)
Deletion via the "cancel alert" link present in every email, or via the DELETE /api/alerts/:id endpoint, immediately removes the email, the alert record and the associated click history from all our archives (KV and D1). For any other request, write to privacy@flightguard.app: we respond within 30 days.
9. Cookies
See our Cookie Policy for information on the cookies used.
10. Changes
We publish changes to this policy on this page by updating the date at the top. For substantial changes, we will inform subscribed users by email.