Flyahoy Flyahoy

Privacy Policy

This Privacy Policy explains how Flyahoy collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and Portuguese data protection law.

1. Introduction

Flyahoy ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our website, mobile application, and eSIM services (collectively, the "Services").

We process your personal data in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation — "GDPR"), the Portuguese Data Protection Act (Lei n.º 58/2019, de 8 de agosto), and all other applicable data protection legislation.

Data Controller: Flyahoy, based in Portugal.
Contact: [email protected]

Last updated: March 2026

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Data You Provide Directly

  • Account Information: name, email address, phone number, password (encrypted);
  • Payment Information: payment method details (processed securely by third-party payment processors — we do not store full card numbers);
  • Communication Data: messages, support tickets, and any correspondence you send to us;
  • Identification Data: information required for account verification or fraud prevention.

2.2 Data Collected Automatically

  • Device Information: device type, operating system, browser type, screen resolution, unique device identifiers;
  • Usage Data: pages visited, features used, click patterns, session duration, referring URLs;
  • Location Data: approximate geographic location based on IP address (we do not collect precise GPS location);
  • Technical Data: IP address, cookies, and similar tracking technologies (see our Cookie Policy).

2.3 Data from Third Parties

  • Payment Processors: transaction confirmations and payment status;
  • Network Partners: data usage and connectivity information related to eSIM service delivery;
  • Analytics Providers: aggregated usage statistics and performance data.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

  • Performance of a Contract (Art. 6(1)(b)): to fulfill our contractual obligations, including processing purchases, delivering eSIM services, and managing your account;
  • Legitimate Interests (Art. 6(1)(f)): to improve our Services, prevent fraud, ensure platform security, and conduct business analytics, provided such interests are not overridden by your fundamental rights;
  • Consent (Art. 6(1)(a)): for marketing communications, non-essential cookies, and other processing activities where we request your specific consent — you may withdraw consent at any time;
  • Legal Obligation (Art. 6(1)(c)): to comply with applicable laws, regulations, and legal proceedings, including tax, accounting, and anti-money laundering obligations.

4. How We Use Your Data

We use the personal data we collect for the following purposes:

  • To create and manage your account;
  • To process and fulfill your eSIM orders;
  • To provide customer support and respond to your inquiries;
  • To send transactional communications (order confirmations, service updates);
  • To send marketing communications (only with your consent);
  • To improve and personalize our Services and user experience;
  • To detect, prevent, and address fraud, abuse, and security issues;
  • To comply with legal obligations and enforce our Terms;
  • To conduct analytics and generate aggregated, anonymized reports.

5. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with the following categories of recipients:

  • Payment Processors: Stripe and other secure payment providers, for transaction processing;
  • Network Partners: mobile network operators, solely for eSIM provisioning and connectivity delivery;
  • Cloud Infrastructure: hosting and storage providers that operate under strict data processing agreements;
  • Analytics Services: Google Analytics and similar tools, for anonymized usage analysis;
  • Customer Support Tools: Chatwoot and similar platforms, for managing support interactions;
  • Legal and Regulatory Authorities: when required by law, court order, or regulation.

All third-party service providers are contractually bound to process your data only on our instructions and in compliance with GDPR requirements.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) where our Network Partners or service providers operate. In such cases, we ensure appropriate safeguards are in place, including:

  • European Commission adequacy decisions;
  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Other legally recognized transfer mechanisms under the GDPR.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • Account Data: for the duration of your account and up to 3 years after closure;
  • Transaction Data: for a minimum of 7 years as required by Portuguese tax and accounting legislation;
  • Marketing Data: until you withdraw consent or unsubscribe;
  • Technical/Log Data: up to 12 months for security and performance purposes.

After the applicable retention period, data is securely deleted or anonymized.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): the right to obtain confirmation of whether your data is being processed and to access a copy of your personal data;
  • Right to Rectification (Art. 16): the right to have inaccurate personal data corrected without undue delay;
  • Right to Erasure (Art. 17): the right to request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements;
  • Right to Restriction (Art. 18): the right to request restriction of processing in certain circumstances;
  • Right to Data Portability (Art. 20): the right to receive your personal data in a structured, commonly used, machine-readable format;
  • Right to Object (Art. 21): the right to object to processing based on legitimate interests or for direct marketing purposes;
  • Right to Withdraw Consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing;
  • Right to Lodge a Complaint: the right to file a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD) at www.cnpd.pt.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days of receiving your request.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest;
  • Secure access controls and authentication mechanisms;
  • Regular security assessments and vulnerability testing;
  • Staff training on data protection and confidentiality obligations.

While we take all reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our Platform. We encourage you to review this page periodically.

11. Contact Us

For any questions or requests related to this Privacy Policy or data protection, please contact us:

Flyahoy
Download on the
App Store
GET IT ON
Google Play

Népszerű úti célok

© 2026 FLYAHOY. Minden jog fenntartva.