Privacy Policy

1. Introduction

TravelyDeal ("we", "us", "our") is operated by André Luís dos Santos Carneiro Terra, registered in Portugal (NIF 334521440). We are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Portuguese data protection law.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under GDPR.

2. Data We Collect

2.1 Account and Registration Data

• Name and email address
• Password (stored in hashed form — we never see your plain-text password)
• Subscription plan and billing status

2.2 Payment Data

Payment processing is handled exclusively by Stripe, Inc. (a PCI DSS Level 1 certified processor). We receive only a tokenised reference and the last 4 digits of your card — we never store full card numbers, CVVs, or sensitive payment credentials.

2.3 Usage and Technical Data

• IP address, browser type, operating system
• Pages visited, time spent, clicks, search queries
• Price alerts you have set (origin/destination/target price)
• Email open and click events (for alerts you have subscribed to)

2.4 Cookie Data

We use cookies and similar tracking technologies. See our Cookie Policy for full details.

3. Legal Basis for Processing

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the TravelyDeal service and manage your subscription.
• Legitimate interests (Art. 6(1)(f) GDPR): Analytics, fraud prevention, service improvement, and security.
• Legal obligation (Art. 6(1)(c) GDPR): Compliance with fiscal, accounting, and legal requirements.
• Consent (Art. 6(1)(a) GDPR): Marketing emails and non-essential cookies, where you have given explicit consent.

4. How We Use Your Data

• Creating and managing your account
• Processing subscription payments via Stripe
• Sending price drop alerts and deal notifications you have subscribed to
• Improving our platform through analytics
• Responding to your support enquiries
• Complying with legal and regulatory obligations
• Sending promotional communications (only with your explicit consent)

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

• Stripe, Inc. — payment processing (privacy.stripe.com)
• Travelpayouts / Jetradar — affiliate flight data and tracking (travelpayouts.com/en/privacy)
• Email service providers — transactional and alert emails
• Hosting and infrastructure providers — operating the platform under data processing agreements
• Legal authorities — when required by law or a valid court order

6. International Transfers

Some of our service providers (e.g. Stripe) operate outside the EU/EEA. When your data is transferred internationally, we ensure adequate safeguards are in place (Standard Contractual Clauses or equivalent) in compliance with GDPR Chapter V.

7. Data Retention

• Account data: Retained for the duration of your account plus 3 years after deletion (for legal/fiscal purposes).
• Payment records: Retained for 10 years as required by Portuguese tax law.
• Usage logs: Retained for up to 13 months.
• Marketing consent: Until you withdraw consent.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Access (Art. 15): Request a copy of your personal data.
• Rectification (Art. 16): Correct inaccurate or incomplete data.
• Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Restriction (Art. 18): Request that we limit how we process your data.
• Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Objection (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent (Art. 7(3)): Withdraw any consent you have given at any time.

To exercise any of these rights, contact us at admin@travelydeal.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Portuguese data protection authority: CNPD — Comissão Nacional de Proteção de Dados (www.cnpd.pt).

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including TLS encryption for data in transit, hashed password storage, and access controls. No method of transmission or storage is 100% secure; however, we are committed to protecting your data to the best of our ability.

10. Children's Privacy

TravelyDeal is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Continued use of TravelyDeal after changes constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or to exercise your rights: