Last Updated: March 2, 2026
1. Introduction
Tripzi Deals is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This page explains your rights under GDPR and how we ensure compliance.
We are a data controller registered in Austria under company number FN 123456a.
2. Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Consent: When you provide explicit consent for marketing communications and optional features
- Contract Performance: To deliver the flight deal notification service you signed up for
- Legitimate Interest: To improve our service, prevent fraud, and ensure security
- Legal Obligation: To comply with tax, accounting, and regulatory requirements
3. Your Rights Under GDPR
You Have the Right To:
- Access: Request a copy of all personal data we hold about you
- Rectification: Correct inaccurate or incomplete data
- Erasure ("Right to be Forgotten"): Request deletion of your data when no longer necessary
- Restrict Processing: Limit how we use your data in certain circumstances
- Data Portability: Receive your data in a structured, machine-readable format
- Object: Object to processing based on legitimate interests or direct marketing
- Withdraw Consent: Withdraw your consent at any time without affecting lawfulness of previous processing
- Lodge a Complaint: File a complaint with the Austrian Data Protection Authority (DSB)
4. Data We Collect
Account Data
- Email address
- Name (optional)
- Password (encrypted)
- Account creation date
Preference Data
- Departure airports
- Preferred destinations
- Price thresholds
- Notification settings
Payment Data
- Billing information (processed by Stripe)
- Transaction history
- Subscription status
Usage Data
- Device type and identifier
- IP address
- App usage statistics
- Click-through behavior
5. Data Retention
We retain personal data only as long as necessary for the purposes outlined:
- Active Accounts: Data retained while your account is active
- Deleted Accounts: Most data deleted within 30 days; some records kept for 7 years for legal/tax compliance
- Marketing Data: Removed within 60 days of unsubscribing
- Analytics Data: Anonymized after 26 months
6. International Data Transfers
As an Austrian company, we primarily process data within the European Economic Area (EEA). When we transfer data outside the EEA, we ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs)
- GDPR-compliant data processing agreements
- Privacy Shield successor frameworks (for US transfers)
7. Third-Party Processors
We share data with carefully vetted third parties who act as data processors:
- Cloud Hosting: AWS (Frankfurt region) for infrastructure
- Payment Processing: Stripe (GDPR compliant)
- Email Service: SendGrid (EU data centers)
- Analytics: Google Analytics (IP anonymization enabled)
All processors are bound by Data Processing Agreements (DPAs) that comply with GDPR Article 28.
8. Automated Decision-Making
We use automated systems to match flight deals to your preferences. You have the right to:
- Obtain human intervention in automated decisions
- Express your point of view
- Contest automated decisions
9. Children's Privacy
Our service is not intended for children under 16. We do not knowingly collect data from children. If we discover we have collected data from a child, we will delete it promptly.
10. Security Measures
We implement appropriate technical and organizational measures including:
- Industry-standard encryption (TLS 1.3 for data in transit, AES-256 for data at rest)
- Regular security audits and penetration testing
- Access controls and authentication protocols
- Employee training on data protection
- Incident response procedures
11. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the Austrian Data Protection Authority within 72 hours
- Inform affected users without undue delay
- Describe the nature and consequences of the breach
- Explain measures taken to mitigate the breach
12. How to Exercise Your Rights
To exercise any of your GDPR rights, you can:
- In-App: Use the "My Data" section in account settings
- Email: Send a request to dpo@tripzi.tech
We will respond to your request within 30 days (extendable to 60 days for complex requests).
13. Supervisory Authority
If you believe we are not complying with GDPR, you have the right to lodge a complaint with the data protection authority of your EU country of residence. A list of EU data protection authorities is published by the European Data Protection Board.
Data Protection Officer
For any data protection inquiries, please contact our Data Protection Officer:
Email: dpo@tripzi.tech
14. Updates to This Document
We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Significant changes will be communicated via email with 30 days' notice.