Privacy Policy

1. Information We Collect And Process

SkyBuyFly provides product search, airport deal discovery, account sync, and checkout intent features. The data we process depends on whether you use the service as a guest, sign in, enable location, or submit an order request.

Account and authentication data

When you sign in, authentication is handled by Auth0. We receive and store the account identifiers and profile fields needed to run your account, including Auth0 user ID, email address, email verification status, name, profile image URL, locale, account creation time, and login activity. The mobile app stores Auth0 session tokens locally so it can keep you signed in and sends the access token to our backend API in the Authorization header.

Shopping, search, and preference data

• Search terms, filters, product IDs, product detail requests, product snapshot requests, and recommendation inputs.
• Selected airport store domains, currency, display settings, notification choices, and privacy preferences.
• Favorites, wishlist state, cart contents, and account sync data across signed-in devices.
• Support or contact messages when you submit them through SkyBuyFly channels.
• Checkout intent details you submit, such as name, email, phone, country, city, address line, postal code, payment method label, loyalty number, cart snapshot, and order totals. We do not collect payment card numbers in the mobile checkout intent flow.

Location and airport context

The mobile apps can ask for approximate or precise foreground location permission to show whether you are near a supported airport. The app compares your device location on your device against airport coordinates returned by our API. The current Android app does not send raw device latitude or longitude to our backend; current iOS mobile flows likewise keep raw coordinates on device. Your selected airport store domains are sent to our backend when you add, remove, sync, or search by airport. Backend geofence-event APIs can receive raw latitude and longitude if a mobile client sends those events; those coordinate-based endpoints are not called by the current Flutter Android app.

Device, session, and analytics data

We process session cookies, IP address, user agent, platform, app version, event IDs, page views, product interactions, search/filter interactions, consent events, errors, and similar usage data for security, diagnostics, analytics, and product improvement. IP addresses stored through analytics services are anonymized before storage. Backend device-token APIs can store push notification tokens, platform, device model, operating system version, app version, timezone, language, and notification settings when a client registers for push notifications. Notification engagement APIs can store delivery, open, click, suppression, opt-out, airport, product, device, and metadata events when a client or backend scheduler records them. The current Flutter Android app does not register Firebase Cloud Messaging tokens or post notification engagement events.

2. How We Use Your Information

• Provide search, airport filtering, currency conversion, product detail, cart, checkout intent, and account sync features.
• Authenticate users, protect sessions, maintain account security, and support sign out across sessions.
• Personalize recommendations, airport deals, favorites, and notification settings when you allow personalization.
• Send requested notifications about price drops, new products, airport deals, and brand promotions.
• Operate analytics, diagnostics, abuse prevention, reliability monitoring, and error investigation.
• Respond to privacy requests, exports, deletion requests, support requests, and compliance obligations.

3. Service Providers And Sharing

We use service providers to operate the service, including Auth0 for authentication, hosting and database providers for the backend, search infrastructure, image proxying, currency/rate services, and notification delivery providers such as Firebase Cloud Messaging or APNs when push notifications are registered. We do not sell personal information. When you submit checkout or order requests, we use the submitted details to prepare, store, and operate that request. We may disclose information if required by law, to protect users or the service, or to complete a transaction you initiated.

4. Your Privacy Rights

Depending on where you live, you may have rights to:

• Access: Request a copy of personal data associated with your account.
• Rectification: Correct inaccurate account or preference data.
• Erasure: Request deletion of account data.
• Portability: Receive your account data in a structured JSON format.
• Consent withdrawal: Change analytics, personalization, marketing, and notification choices.
• Location control: Disable location permission in your device settings or in the mobile permission prompt.

5. Data Retention And Deletion

We retain account data while your account is active and as needed for the purposes above. Account data controls let signed-in users export data, schedule deletion with a retention period, or request immediate deletion. Immediate deletion removes the account record and preferences, while session records may be anonymized for security, fraud prevention, analytics integrity, and compliance. Soft deletion deactivates and anonymizes the account until the retention period expires. Behavioral event logs carry a row-level retention period, defaulting to 365 days, and local mobile tracking queues are retained for no more than 7 days. User-specific recommendation profiles are deleted when you revoke personalization or request account erasure; historical recommendation and tracking logs are anonymized for aggregate audit records when full deletion would break compliance records.

6. Cookies, Local Storage, And Mobile Storage

We use essential cookies for sessions and consent state, plus optional cookies or local storage for analytics and personalization. Web, Android, and iOS tracking code defaults to disabled unless consent is explicit. The mobile app uses local app storage for selected airports, currency, Auth0 session tokens, and consent-gated local tracking queues. You can clear mobile app data through your operating system settings, sign out from the app, revoke location permission, change consent, or use account data controls for server-side data.

7. Platform Privacy Disclosures

Our Play Data Safety and App Store privacy disclosures classify Auth0 account data, app activity, diagnostics, purchases/reservations, favorites/preferences, optional device location, and notification tokens according to the actual flows above. We do not sell personal data, and optional analytics or personalization data is not used unless the corresponding consent control is enabled.

8. Contact Us

If you have questions about this privacy policy or want to exercise your privacy rights, please contact our Data Protection Officer at privacy@skybuyfly.com.