Privacy Policy | FlyQ

This Privacy Policy describes how FlyQ collects, uses, stores, and shares personal data when you use our websites, apps, accounts, waitlist, newsletters, bookings, careers pages, and related services. FlyQ operates primarily from Mexico; this notice is designed to meet common transparency expectations, including for people in the European Economic Area, the United Kingdom, and Mexico. It is not legal advice; ask qualified counsel if you need guidance for your situation.

1. Who we are

FlyQ (FlyQ) is the controller responsible for personal data described here, unless we state that another party is a separate controller. Our main operations are centered in Mexico. For privacy requests and questions about this policy, email privacy@flyq.app. For general product support, email support@flyq.app. If we appoint a data protection representative in the EEA or UK, we will list updated contact details on this page.

2. Scope

This policy applies when you visit flyq.com (and related FlyQ sites), create or use an account, complete onboarding, join a waitlist, subscribe to email updates, book or pay for services, use address or map features, manage advertising or coverage settings where available, apply for jobs (including optional résumé upload), or contact us. It does not govern third-party sites or services that we link to; their policies apply instead.

3. Categories of personal data we process

We may process: identity and contact data (name, email, phone); account and profile data (sector, account type, company name and address, coordinates derived from addresses); authentication data (email for magic links, session identifiers stored in cookies); waitlist and marketing preference data; booking and logistics data (pickup and delivery addresses, quotes, order status, service type, duration, confirmation tokens); payment-related data (amounts, currency, Stripe session or customer references; payment card numbers are processed by Stripe, not stored by us as full card data); advertising campaign data (campaign name, location, radius) where you use that product; careers data (application fields, cover letter, optional résumé file and filename, role applied for, locale); technical and usage data (IP address, device and browser type, approximate location inferred from IP, timestamps, diagnostic logs); and communications you send us. Exact fields depend on which features you use.

4. Sources of personal data

We receive data directly from you when you type it, upload files, or complete forms. We also generate or collect technical data automatically when you use the Services (for example cookies, server logs, and analytics events). We may receive limited data from payment and fraud providers (Stripe) about transaction status. If you use Google-powered address or map features, Google processes queries according to its terms and policies.

5. Purposes and legal bases (including GDPR)

We use personal data to: provide and operate the Services, including accounts, bookings, payments, and customer support (contract or steps prior to a contract; equivalent bases under Mexican law where applicable); send transactional and security-related messages such as sign-in links (contract and legitimate interests in securing accounts); process payments and prevent fraud (contract, legitimate interests, legal obligations); run waitlists and optional marketing emails when you sign up or consent (consent where required, otherwise legitimate interests in promoting similar services with an easy unsubscribe); improve and secure the product, troubleshoot, and analyze aggregate usage (legitimate interests; you may have rights to object depending on jurisdiction); comply with law and respond to lawful requests (legal obligation); and manage hiring, including reviewing applications and résumés (legitimate interests in recruitment, and sometimes contract with you). Where we rely on consent, you may withdraw it without affecting prior processing that was lawful. Where we rely on legitimate interests, we balance our interests against your rights.

6. Processors and recipients

We share data with service providers who process it on our instructions: Supabase (hosted database, authentication, and private file storage for résumés); Resend (sending transactional email such as authentication messages); Stripe (payment processing and billing portals); Google (Maps and Places-related APIs when you use those features); Vercel (site hosting and web analytics). We may also share data with professional advisers, insurers, or corporate affiliates in a business transaction, and with law enforcement or regulators when required by law or to protect rights and safety. We do not sell your personal information for money. We do not share data for cross-context behavioral advertising as defined in some U.S. state laws.

7. International transfers

We and our providers may process data in Mexico, the United States, the European Union, and other countries where they operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards such as standard contractual clauses approved by regulators or equivalent mechanisms offered by our vendors, together with supplementary measures where appropriate. You may contact privacy@flyq.app for a summary of transfers or copies of safeguards where we are required to provide them.

8. Retention

We keep personal data only as long as needed for the purposes above. Account and booking records are retained for the life of the relationship and for a period afterward to resolve disputes, enforce terms, and meet tax, accounting, and legal requirements. Waitlist and marketing data are kept until you unsubscribe or ask us to delete them, subject to minimal suppression lists where needed. Job applications and résumés are kept for the hiring process and a limited period afterward for talent pools and legal defense unless you ask for earlier deletion and we have no overriding obligation to retain. Technical logs and analytics may be kept in shorter cycles or in aggregated form. When retention ends, we delete or anonymize data where feasible.

9. Security

We use technical and organizational measures designed to protect personal data, including access controls, encryption in transit where supported by our stack, separation of production access, and vendor security reviews at a level appropriate to our stage. No online service is perfectly secure; we encourage strong passwords, device security, and prompt reporting of suspected incidents to support@flyq.app.

10. Your rights in the EEA, UK, and similar jurisdictions

Depending on where you live, you may have the right to access, correct, delete, or restrict processing of your personal data, to receive a portable copy in a machine-readable format where applicable, to object to processing based on legitimate interests (including profiling that produces legal or similarly significant effects, if any), to withdraw consent where processing was consent-based, and to lodge a complaint with a supervisory authority in your country. To exercise rights, email privacy@flyq.app. We may need to verify your identity. You may also use in-product account tools where available.

11. Your rights in Mexico (LFPDPPP and regulations)

If Mexican law applies, you may have rights of access, rectification, cancellation, and opposition (ARCO) regarding personal data, as well as rights to revoke consent where processing is consent-based. You may limit use or disclosure in cases foreseen by law. To exercise these rights, email privacy@flyq.app describing your request. If you believe your rights were violated, you may file a complaint with the INAI or the competent authority.

12. United States (California and other states)

Residents of certain U.S. states may have rights to know categories of personal information collected, to request access or deletion, to correct inaccuracies, and to opt out of sale or certain sharing. We do not sell personal information. For privacy requests from the U.S., email privacy@flyq.app. We will not discriminate against you for exercising rights where that prohibition applies. If we ever offer financial incentives tied to data collection, we will describe them as required by law.

13. Children

The Services are not directed at children under 16 (or the higher age required where you live). We do not knowingly collect personal data from children. If you believe a child provided data, contact privacy@flyq.app and we will take appropriate steps.

14. Automated decision-making

We do not use fully automated decisions that produce legal or similarly significant effects about you without human review. We may use automated systems for security, fraud screening, routing, pricing quotes, or product analytics; you can ask for more detail at privacy@flyq.app.

15. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in (essential), maintain security, remember preferences, and understand aggregate traffic through Vercel Analytics. You can control cookies through browser settings. If we introduce non-essential cookies or analytics that require consent in your region, we will update this policy and, where required, provide a consent mechanism.

16. Changes to this policy

We may update this Privacy Policy to reflect new practices or legal requirements. We will post the new version with an updated date and, when changes are material, provide additional notice when practical. Continued use after the effective date may be treated as acceptance where allowed by law.

17. Contact

Privacy and data protection: privacy@flyq.app. General support: support@flyq.app. If you are in the EEA or UK and we have appointed a representative, their details will appear here when available.