Privacy Policy
How GoFlyAdventure collects, uses, shares, protects, and retains personal data.
Who controls your data
This Privacy Policy explains how GoFlyAdventure (operated by GoFlyAdventure L.L.C, Tirana, Albania, registration no. 123 - 123) ("GoFlyAdventure", "we", "us", or "our") processes personal data when you visit our websites, create an account, make or manage a booking, onboard as a provider, contact support, subscribe to communications, or otherwise interact with our travel and adventure marketplace.
GoFlyAdventure is established in Austria. For the processing activities described in this policy, GoFlyAdventure is normally the data controller responsible for deciding why and how your personal data is processed.
GoFlyAdventure is normally the controller for:
- Account administration and authentication.
- Operating, maintaining, and securing the marketplace platform.
- Processing bookings, payments, refunds, and related customer support.
- Provider onboarding, verification, and platform management.
- Platform analytics and service improvement, subject to applicable consent requirements.
- Marketing communications sent by GoFlyAdventure, where permitted.
- Fraud prevention, abuse detection, and legal compliance.
When you book a travel or adventure service, the independent provider identified during checkout may also process personal data about you as a separate controller for purposes connected with performing the booked service, complying with law, and handling safety or operational needs. Providers are not automatically processors of GoFlyAdventure; their role depends on how they use the information they receive.
Where GoFlyAdventure and another party jointly determine the purposes and means of specific processing, a separate joint-controller arrangement may apply and will be made available where required by law.
If you have questions about this policy or our processing activities, contact us using the details in the Contact and supervisory authority section. Our use of the platform is also governed by our Terms of Service, which you can read at /terms.
Scope
This Privacy Policy applies to personal data processed through GoFlyAdventure's public website, traveller accounts, provider accounts and onboarding flows, booking and payment journeys, reviews and ratings, customer support, marketing activities, cookies and similar technologies, fraud and security monitoring, and any mobile application if and when we introduce one.
It covers processing relating to:
- Visitors browsing listings, destinations, or informational pages.
- Registered travellers searching, booking, paying for, reviewing, or managing travel and adventure services.
- Providers creating listings, managing availability, receiving bookings, and communicating with travellers.
- Communications routed through the platform, including support, complaints, appeals, and moderation reports.
- Newsletter, waitlist, or promotional sign-ups where offered.
- Security, fraud-prevention, and compliance activities necessary to operate a trustworthy marketplace.
This policy does not replace the privacy information of independent providers, payment processors, map tools, social networks, or other third-party services you may access through links on or off the platform. Those services are responsible for their own privacy practices.
If you use GoFlyAdventure on behalf of a business, additional contractual terms—including the Provider Agreement where applicable—may also govern certain processing activities. Where those terms conflict with mandatory data-protection law, the mandatory law prevails.
Data collected
The personal data we process depends on how you use GoFlyAdventure. We collect only what is reasonably necessary for the relevant purpose. The categories below describe the main types of information we may process.
- Account and identity data
- Name, email address, telephone number, authentication credentials or tokens, preferred language, account role (such as traveller or provider user), profile details, and account preferences.
- Traveller and booking data
- Travel dates, destination, selected services, participant and guest information, booking requests and confirmations, accessibility or special requests you voluntarily submit, communications with providers, and cancellation or refund history.
- Provider and business data
- Business name, registration details, VAT or tax information where required, business address, contact details, bank or payout details, licences, permits, certificates, insurance evidence, and verification documents where required, plus listings, prices, availability, policies, photographs, performance metrics, and complaint history.
- Payment and transaction data
- Payment amount, currency, payment status, payment method type, processor references, refunds, chargebacks, commissions, and payout records. Complete payment-card credentials are generally collected and stored by our regulated payment processor rather than by GoFlyAdventure, unless we expressly state otherwise at checkout.
- Device and technical data
- IP address, device and browser information, operating system, session identifiers, security logs, cookie identifiers, approximate location inferred from IP address, and interaction or diagnostic data needed to operate and secure the platform.
- Communications and content
- Support messages, reviews, reports, appeals, uploaded content, survey responses, and provider–traveller communications where routed through the platform.
You are responsible for ensuring that information you provide is accurate and that you have permission to share information about other travellers or guests included in a booking.
Sources of data
We obtain personal data from several sources, depending on the activity:
- Directly from you when you create an account, make a booking, onboard as a provider, submit content, or contact us.
- From another traveller who includes your details in a booking or participant list.
- From providers when they respond to enquiries, confirm bookings, or upload business information.
- From payment processors and financial partners handling transactions on our behalf.
- From identity, business-verification, or fraud-prevention services where legally permitted and operationally necessary.
- From public business registers or official databases used to verify trader information.
- From authentication providers if you choose to sign in using a supported third-party method.
- Automatically from your device and browser through cookies, logs, and similar technologies, subject to consent requirements for non-essential tools.
- From customer-support interactions, complaints, and moderation reports.
- From courts, regulators, tax authorities, or law-enforcement bodies where we are legally permitted or required to receive such information.
Where data is collected through cookies or analytics tools that require consent under applicable law, those tools will not be activated until you have made an appropriate choice through our cookie interface, except for strictly necessary cookies.
Purposes and legal bases
Under the General Data Protection Regulation (GDPR) and applicable national law, we must identify a lawful basis for each processing purpose. The table below summarises our main purposes, the types of data involved, the legal basis we rely on, and important notes. This is a transparency summary—not a request for blanket consent to all processing.
| Purpose | Types of data | Legal basis | Notes |
|---|---|---|---|
| Account creation, authentication, and account management | Account and identity data; device and technical data | Performance of a contract (Art. 6(1)(b) GDPR) | Necessary to provide the account and platform services you request. |
| Processing bookings, communicating with providers, and fulfilling travel services | Traveller and booking data; account data; communications; payment and transaction data | Performance of a contract (Art. 6(1)(b)); steps at your request before entering a contract (Art. 6(1)(b)) | Includes sharing booking details with the relevant provider to perform the service. |
| Payments, refunds, payouts, and transaction records | Payment and transaction data; account data; booking data | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) where appropriate | Legitimate interests may support fraud monitoring and recovery of sums owed, balanced against your rights. |
| Provider onboarding, verification, and marketplace trust | Provider and business data; verification documents; communications | Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) | Verification supports trader traceability, fraud prevention, and traveller safety where permitted by law. |
| Fraud prevention, abuse detection, cybersecurity, and platform integrity | Account data; booking data; device and technical data; communications | Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) where applicable | We assess necessity and balance our interests against your rights; some checks may involve automated risk signals. |
| Customer support, complaints, and dispute handling | Account data; booking data; communications; support records | Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) | Includes responding to traveller and provider enquiries and regulatory complaints. |
| Tax, accounting, regulatory, and law-enforcement compliance | Account data; booking data; payment data; provider data | Legal obligation (Art. 6(1)(c)) | Retention periods may be set by statute and are listed in the Retention section. |
| Service analytics using strictly necessary or aggregated operational data | Device and technical data; limited usage data | Legitimate interests (Art. 6(1)(f)) where legally permitted | Used to maintain reliability, diagnose errors, and understand aggregate platform performance. |
| Non-essential analytics, audience measurement, or similar optional tools | Device and technical data; cookie identifiers; usage data | Consent (Art. 6(1)(a)) where required | Optional analytics cookies are disabled until you consent through Cookie settings. |
| Email, SMS, or push marketing from GoFlyAdventure | Account data; contact details; marketing preferences | Consent (Art. 6(1)(a)) or another lawful basis permitted by national law | You can opt out at any time; service and booking messages are handled separately. |
| Personalisation and recommendations | Account data; booking history; search activity; preferences | Performance of a contract, legitimate interests, or consent depending on implementation | The lawful basis depends on whether personalisation is core to the requested service or optional. |
| Establishing, exercising, or defending legal claims | Relevant account, booking, payment, communications, and security data | Legitimate interests (Art. 6(1)(f)); legal obligation results (Art. 6(1)(c)) where applicable | Used where disputes, chargebacks, or regulatory investigations require evidence. |
We do not rely on legitimate interests as a generic justification for unrelated processing. Where we depend on legitimate interests, we consider whether the processing is necessary, whether less intrusive alternatives exist, and how your rights and expectations are affected.
Where processing is necessary for the performance of our contract with you, refusing to provide certain information may mean we cannot create an account, complete a booking, or onboard a provider.
Special-category and sensitive information
GoFlyAdventure does not generally require special-category data under Article 9 GDPR, such as data revealing health conditions, religious beliefs, or biometric identifiers.
However, travellers may voluntarily provide information concerning disability, mobility needs, allergies, dietary requirements, pregnancy, or other health-related details when such information is necessary to arrange a safe and suitable service. Providers may also receive this information when it is relevant to performing a booking.
- We collect such information only where there is a clear justification and you choose to provide it.
- Access is restricted to people and systems that need the information for the relevant booking, support, or compliance purpose.
- We apply data minimisation and do not request more detail than reasonably necessary.
- Where Article 9 GDPR applies, we rely on an appropriate condition such as your explicit consent or the necessity of processing to protect your vital interests, depending on the circumstances.
- Where safer, you may communicate necessary requirements directly to the provider through the booking process or platform messaging.
- We do not use special-category or sensitive information for unrelated advertising or profiling.
Automated decisions, ranking, and personalisation
GoFlyAdventure uses automated systems to organise search results, recommend relevant listings, detect suspicious activity, and protect the marketplace. These systems analyse information such as search criteria, availability, pricing, listing quality, booking performance, traveller preferences where permitted, and trust or safety signals.
Search ranking and personalisation help travellers discover suitable travel and adventure services. Ordinary ranking or recommendation does not, by itself, produce legal or similarly significant effects on you within the meaning of Article 22 GDPR.
Fraud-prevention, abuse-detection, and risk tools may automatically flag transactions or accounts for review. Where a decision produces legal or similarly significant effects solely by automated means, we will provide meaningful information about the logic involved and allow you to request human review where Article 22 GDPR requires us to do so.
- Automated ranking factors are described in general terms in our Terms of Service.
- Human review is used where legally required or where an automated outcome may restrict access, cancel a booking, or suspend an account.
- You may contact us to request information about automated processing that affects you or to contest a qualifying automated decision.
- We do not claim that no automated processing takes place; instead, we distinguish routine marketplace functions from decisions that require additional safeguards.
Who receives data
We share personal data only where there is a lawful basis and a genuine need for the recipient to receive it. We require service providers that process data on our behalf to do so under appropriate contractual safeguards.
- Booked providers, to perform and manage the services you reserve.
- Payment processors and financial institutions, to authorise payments, issue refunds, and manage payouts.
- Cloud-hosting, storage, and infrastructure providers that support platform operation.
- Email, SMS, push-notification, and customer-communication providers.
- Customer-support, moderation, and trust-and-safety tools where used.
- Fraud-prevention, cybersecurity, and authentication providers.
- Analytics providers, but only where you have enabled the relevant optional cookies or another lawful basis applies.
- Professional advisers such as lawyers, auditors, or insurers where reasonably necessary.
- Insurers or claims handlers where relevant to an insured event or mandatory disclosure.
- Government, tax, regulatory, judicial, or law-enforcement authorities where we are legally required or permitted to disclose information.
- Successors or acquirers in connection with a merger, acquisition, or asset sale, subject to appropriate confidentiality and data-protection safeguards.
We do not sell your personal data. We also do not publish private provider verification documents or unnecessary traveller details beyond what is required for booking fulfilment, support, or legal compliance.
A current list of key subprocessors may be published separately once our infrastructure and vendor arrangements are finalised. Until then, you may contact us for general information about the categories of recipients we use.
Provider use of traveller data
When you book a service, we share traveller information with the relevant provider so they can confirm availability, deliver the service, communicate with you, and meet legal or safety obligations. Providers receive only the data reasonably necessary for those purposes.
Providers may use traveller information only for:
- Managing and performing confirmed bookings.
- Communicating about the booked service, including changes, arrival instructions, or safety notices.
- Meeting health, safety, accessibility, and legal requirements connected with the service.
- Handling complaints, refunds, no-shows, or disputes relating to the booking.
- Recordkeeping required by applicable tourism, transport, accommodation, tax, or consumer law.
Providers must not add travellers to independent marketing lists, send unrelated promotional messages, or use booking data for their own profiling or resale without a separate lawful basis and, where required, clear consent.
If a provider misuses traveller data, you may report the issue to GoFlyAdventure and, where appropriate, to your local data-protection supervisory authority. Provider obligations under applicable law and the Provider Agreement are separate from this Privacy Policy.
International data transfers
GoFlyAdventure primarily serves travellers and providers in the European Union and European Economic Area. However, some of our service providers may process personal data in countries outside the EEA, including countries that may not provide the same level of data protection as your home jurisdiction.
When we transfer personal data outside the EEA, we do so only where an appropriate safeguard applies, such as:
- An adequacy decision adopted by the European Commission.
- Standard Contractual Clauses approved by the European Commission, supplemented where necessary.
- Another lawful transfer mechanism recognised under applicable data-protection law.
- Additional technical and organisational measures where a transfer assessment indicates they are needed.
We do not represent that all data remains within the EU unless and until our hosting regions and subprocessors have been verified and published. You may contact us to request information about the safeguards applicable to specific transfers, subject to legal and confidentiality limits.
Retention
We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law. Retention depends on the type of data, whether you maintain an active account, whether a booking or dispute is ongoing, and our legal, tax, accounting, fraud-prevention, and security obligations.
The schedule below sets out our provisional retention categories. Periods shown in brackets require legal and operational confirmation once our EU country of establishment and statutory obligations are finalised. These values are maintained centrally so they can be updated in one place.
| Category | Retention period | Notes |
|---|---|---|
| Active account data | [ACCOUNT_LIFETIME — to be confirmed] | Retained while the account remains active. |
| Closed account data | [POST_CLOSURE_PERIOD — to be confirmed] | Limited retention after closure for disputes, fraud prevention, and legal duties. |
| Booking and transaction records | [STATUTORY_ACCOUNTING_PERIOD — to be confirmed] | Accounting, tax, consumer, and legal-claims periods apply. |
| Provider verification data | [VERIFICATION_RETENTION — to be confirmed] | Verification, regulatory, fraud, and defence purposes. |
| Support and complaint records | [COMPLAINT_LIMITATION_PERIOD — to be confirmed] | Complaint handling and limitation periods. |
| Security logs | [SECURITY_LOG_PERIOD — to be confirmed] | Short operational period unless an incident requires longer retention. |
| Marketing consent records | [MARKETING_CONSENT_PROOF — to be confirmed] | While marketing continues and for a limited proof period after withdrawal. |
| Cookie consent records | [COOKIE_CONSENT_PROOF — to be confirmed] | Demonstrates consent preferences and version. |
| Unsuccessful provider drafts | [DRAFT_INACTIVITY_PERIOD — to be confirmed] | Delete or anonymise after defined inactivity. |
| Uploaded identity or verification evidence | [VERIFICATION_EVIDENCE — to be confirmed] | Delete earlier than ordinary account data when retention is not legally necessary. |
When retention ends, we delete or anonymise personal data unless limited information must be kept in aggregated or de-identified form for reporting, security, or legal defence.
Security
GoFlyAdventure implements proportionate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
- Encryption in transit for data sent between your browser or app and our services.
- Access controls and role-based permissions limiting who can view or change personal data.
- Authentication controls and monitoring for administrative and provider accounts.
- Logging and review of security-relevant events.
- Backups and recovery procedures to support continuity.
- Vulnerability management and patching processes.
- Vendor assessment for subprocessors handling personal data on our behalf.
- Incident-response procedures for suspected security events.
- Data minimisation and retention controls aligned with this policy.
No online service can guarantee absolute security. You also play a role by keeping your credentials confidential, using a strong password, and notifying us promptly if you suspect unauthorised access to your account.
For security reasons, we do not publicly disclose detailed technical configurations, undisclosed vulnerabilities, or other information that could reasonably assist misuse of the platform.
Data breaches
We maintain procedures to identify, investigate, and respond to suspected personal-data breaches. If we become aware of a breach likely to result in a risk to your rights and freedoms, we will take appropriate steps without undue delay.
- Assess the nature, scope, and likely impact of the incident.
- Contain the issue and mitigate further harm where possible.
- Notify the competent supervisory authority where required by GDPR Article 33.
- Notify affected individuals where required by GDPR Article 34, including where the breach is likely to result in a high risk to you.
- Keep records of the incident and our response as required by law.
If you believe your GoFlyAdventure account or a booking has been affected by a security incident, contact us immediately using the privacy contact details below so we can investigate and, where appropriate, guide you on protective steps.
User rights
Depending on your location and the processing involved, you may have the following rights under GDPR and applicable national law:
- Right of access to personal data we hold about you.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure in certain circumstances.
- Right to restrict processing in certain circumstances.
- Right to object to processing based on legitimate interests or for direct marketing.
- Right to data portability for information you provided where processing is based on consent or contract and carried out by automated means.
- Right to withdraw consent at any time for processing that depends on consent, without affecting prior lawful processing.
- Rights relating to qualifying automated decision-making under Article 22 GDPR.
- Right to lodge a complaint with a supervisory authority.
To exercise these rights, contact us at info@goflyadventure.com or use our privacy request channel when available. We may need to verify your identity using proportionate methods before fulfilling a request, particularly where disclosure could affect another person's privacy or platform security.
We aim to respond without undue delay and within the time limits set by applicable law. If your request is complex or we receive many requests, we may extend the response period as permitted by law and will inform you.
Exercising your privacy rights does not affect your contractual relationship under our Terms of Service, except where the law requires otherwise.
Marketing preferences
GoFlyAdventure may send promotional emails, SMS messages, or push notifications about destinations, listings, offers, or platform features where permitted by law and, where required, based on your consent.
- You can opt out of GoFlyAdventure marketing at any time using the unsubscribe link in a message or through account settings where available.
- Transactional and service messages—such as booking confirmations, payment receipts, security alerts, or important account notices—are not marketing and may still be sent where necessary to perform our contract or protect your account.
- Withdrawing marketing consent affects future promotional messages only; it does not undo processing that was already lawful.
- Marketing from independent providers is separate from GoFlyAdventure marketing and requires the provider's own lawful basis.
If you receive unwanted marketing directly from a provider after a booking, contact the provider first where appropriate and notify GoFlyAdventure if the issue persists.
Children
GoFlyAdventure is not designed for children to independently create bookings or provider accounts. A parent, guardian, or authorised adult may provide limited information about a child when necessary for a family booking or participant list.
Providers must use child participant information only to deliver the booked service and meet applicable safety or legal requirements. They must not use it for unrelated marketing or profiling.
If you believe we have collected personal data from a child without appropriate authority, contact us so we can review and, where appropriate, delete the information. Age and capacity requirements for using the platform are also described in our Terms of Service.
Third-party links and services
GoFlyAdventure may contain links to external websites, map tools, payment pages, social media platforms, provider-owned sites, or other third-party services. Those services are operated by independent parties with their own privacy policies and terms.
We are not responsible for the privacy practices of third parties outside our control. Before submitting personal data on an external site, review its privacy information and settings carefully.
When you complete a payment, you may interact directly with a regulated payment processor subject to that processor's privacy notice. Likewise, communications or bookings fulfilled entirely off-platform may be governed by the provider's own policies.
Changes to the policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or operational practices. The effective date and last updated date shown on this page will change when we publish a revised version. Current version: 1.0.
If we make material changes, we will inform you through an appropriate channel such as a notice on the platform, email, or account notification. We will not treat continued use of the platform as consent to new processing that legally requires consent.
Where changes affect how we process data based on contract necessity or legal obligation, we will explain the impact and, where required, obtain any additional consent or provide choices before applying the change to optional processing.
Previous versions may be archived internally for compliance purposes. If you have questions about a change, contact us using the details below.
