Privacy policy
EFFECTIVE DATE: APRIL 3, 2023
1. Definitions
Admin
A User with specialised privileges over a Flyfish account, encompassing responsibilities like overseeing company funds, and issuing and deactivating cards
Controller
The legal entity, which is responsible for the processing of your personal data.
Data subject
The natural person, whose data is being processed by the Controller and/or the Processor.
GDPR
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly referred to as General Data Protection Regulation.
Issuer
The licensed electronic money institution and or card issuer which provides the payment cards and opens the e-money accounts for Flyfish clients.
Personal data
Any information that relates or can in any way be related to an identified or identifiable living person.
Processing of personal data
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
Processor
The legal entity that processes your personal data on behalf of the Controller of your data.
User
An individual who has been granted access to a Flyfish account and/or has been designated as a cardholder on behalf of a Flyfish client.
2. Purpose and scope
The purpose of this Privacy Policy (‘Policy’) is to outline how we collect and process your personal data in relation to the provision of our services (‘Services’) as defined in our terms of use (‘General Terms and Conditions’), how we use and protect this data and your rights in relation to this data.
This Policy applies to personal data we collect about you through:
- our website “https://www.flyfish.com” (‘Website’)
- the Flyfish mobile app
- the Flyfish platform
- all communication with you, including whenever we contact you to promote our products and services
We value your privacy and will only handle personal information about you or provided by you in compliance with Data Protection legislation. For the purposes of this Policy, Data Protection legislation refers to the General Data Protection Regulation (‘GDPR’) and any national laws, regulations and supplementary legislation that implement it, as well as any subsequent updates or amendments. It also encompasses any successor legislation to the GDPR and other applicable privacy laws.
Our Website and Services may include links to websites or applications operated by third parties, including Issuers, that are not covered by this Policy. We encourage you to review the privacy policies of those websites and applications to familiarise yourself with their data handling practices.
By utilising and/or accessing our Website or Services, you consent to the collection, utilisation, and disclosure of information as outlined in this Policy. Please be aware that this Policy may be subject to occasional changes. Your continued use of the Website or Services signifies your acceptance of any such modifications.
You need to ensure that your personal data remain updated at all times. If you have any questions about this Policy, please contact us at support@flyfish.com.
If, after contacting us, you believe that we have infringed upon your privacy rights, you can lodge a complaint with the appropriate supervisory authority.
Office of the Commissioner for Personal Data Protection
15 Kypranoros Street,
1061 Nicosia, Cyprus
Tel: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy
https://www.dataprotection.gov.cy
3. Who are we
3.1 Flyfish Services Ltd (‘Company’, ‘we’, ’us’ or ‘our’) is the Data Controller of your personal data. We are responsible for processing your personal data for the purposes as stated under this Policy and have therefore concluded a specific and separate data processing agreement in accordance with the requirements of the GDPR.
3.2 Flyfish Services Ltd is registered at Cyprus’ Companies House register under company registration number HE449375 and registered address 27 Evagora Pallikarides Street, 1st Floor, 8010 Paphos, Cyprus.
3.3 We have appointed a Data Protection Officer (‘DPO’) who is responsible to oversee our data protection compliance, answer your concerns and assist you in exercising your rights under the GDPR. Our DPO is reachable at support@flyfish.com.
4. What personal data we collect
4.1 Personal data, or personal information, means any information about a person based on which that person can be identified. It does not include data where the identity has been removed (anonymous data).
4.2 We may collect, use, store and transfer different types of personal data about you grouped as follows:
- Identity Data includes first name, last name, username or similar identifier. For example, in an email, phone or live chat conversation, we may collect information such as your full name, email address and phone number.
- Contact Data includes billing address, invoicing address, email address and telephone numbers.
- Financial Data includes bank account and payment details.
- Transaction Data includes details about payments and other details of our Services you have purchased from us.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Website.
- Profile Data includes your username and password, reservations made by you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our Website and Services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Interaction Data includes any information that you might provide to any discussion forums on the Website.
- Cookies Data refer to data stored and used to enhance your experience and gather information about visitors to our websites. Please refer to our Cookie Policy for more information about cookies and how we use them.
- Third Parties Data refer to information we receive about you from other sources. This may be the case when you use any of the other websites we operate with or through the Services we provide. We will inform you when we have collected such data which may be shared internally and combined with data collected on our Website. We may also receive information about you from third parties we cooperate with such as business partners, suppliers, sub-contractors, advertising networks, analytics providers and search information providers.
- Analytics Data refer to third-party analytics services (such as Google Analytics) we use to evaluate your use of the Website, compile reports on activity, collect demographic data, analyse performance metrics, and collect and evaluate other information relating to our Website and internet usage. These third parties use cookies and other technologies to help analyse and provide us the data. By accessing and using the Website, you consent to the processing of data about you by these analytics providers in the manner and for the purposes set out in this Policy.
4.3 We may also gather, use and share aggregated data, such as statistical or demographic information, for various purposes. Aggregated data may be derived from your personal data but is not classified as personal data under legal guidelines because they do not directly or indirectly reveal your identity. For instance, we might aggregate your Usage Data to determine the percentage of users accessing a specific Website feature. However, if we combine or link Aggregated Data with your personal data in a way that can directly or indirectly identify you, we treat the merged data as personal data, subject to the terms of this Policy.
4.4 We do not collect any Special Categories of personal data about you. This includes details about your race or ethnicity, religious or philosophical beliefs, sex life or orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. We also do not gather information about criminal convictions and offenses.
5. How we collect your personal data
5.1 We will not collect any personal data unless it has been willingly supplied, entered or uploaded by you personally. You are strictly prohibited from inputting third-party personal data, including registering a third party (such as Users, Admins, employees, etc.), without obtaining proper authorisation from the said third party. You bear the sole responsibility for ensuring that your processing activities and the provision of third-party personal data comply with the stipulations of any relevant data protection legislation.
5.2 We or third-party data processors, agents, and subcontractors acting on our behalf may gather, retain and employ your personal information through direct interaction with you. You may furnish us with your information by completing forms on our Website or by engaging in communication with us through mail, telephone, email, or other means. This includes personal data provided when you:
- Present content on our Website
- Utilise any of our Services
- Establish an account on our Website
- Subscribe to our Services or publications
- Request marketing materials
- Participate in a competition, promotion, or survey
- Provide feedback to us
5.3 If you are an existing customer, we will only reach out to you electronically regarding products or services similar to those you’ve previously purchased. If you are a new customer, we will only contact you if you have provided your consent.
5.4 In certain instances, the collection of personal data may be obligatory by law or under a contract. Failure to provide your personal data in these situations may limit the products and/or services we can offer you.
6. How we process your personal data
6.1 We will process your personal data as per the following categories
- Customisation
To tailor your experience on our Website and ensure that we deliver content and product offerings that align with your specific interests. - Contests and promotions
To manage contests, promotions, surveys or other features on our Website. - Email communication
We may periodically send you emails if you have opted to receive such communication. If you wish to discontinue receiving promotional emails from us, please refer to section 11 to learn more about your rights. If you have not chosen to receive email newsletters, you will not receive these emails. Visitors who register or engage in other site features, such as marketing programs and ‘members- only’ content, have the option to decide if they wish to be included in our email list and receive email communications from us. - Content presentation
To effectively present content on our Website to you. - Information and services:
To provide you with information and services that you request or, with your consent, that we believe may be of interest to you. - Contractual obligations
To fulfill our contractual commitments to you. - Service provision
To deliver the relevant services to you. - Billing information
To inform you about our charges.
6.2 We may maintain a record of the most frequently used links to enhance our ability to provide valuable information. However, we assure you that this data will be kept confidential and your identity will remain anonymous in connection with this information.
6.3 If you prefer that we do not utilise your personal data for any of the purposes outlined above, you have the option to inform us at any time by reaching out to us at support@flyfish.com. In such cases, we will proceed to remove your data from our systems. Please be aware, however, that this choice may have an impact on our ability to deliver the highest level of service to you.
6.4 We will exclusively utilise your personal data in compliance with applicable laws and regulations. Typically, we employ your personal data in the following circumstances:
- When it is necessary to fulfill the contract we are in the process of forming with you or have already entered into.
- When it is essential for our legitimate interests (or those of a third party) and these interests do not outweigh your interests and fundamental rights.
- When we are required to meet a legal or regulatory obligation.
6.5 With your consent and/or as allowed by applicable laws, we may also employ your personal data for marketing purposes. This may involve contacting you through email and/or telephone to provide information, updates and offers related to our Services. In doing so, we commit to adhere strictly to the terms outlined in this Policy and refrain from sending unsolicited marketing or spam. We take all reasonable measures to safeguard your rights and adhere to our obligations under the GDPR and the Privacy and Electronic Communications Regulations 2003, as amended.
7. What legal bases we rely on to process your personal data
7.1 The GDPR requires us to explain the valid legal bases we rely on in order to process your personal data. As such, we may rely on any of the following legal bases to process your personal information:
- Consent
We may process your information if you have given us permission (i.e. consent) to use your personal information for a specific purpose. You can withdraw your consent at any time. Please refer to section 11 to learn more about your rights and how to withdraw your consent. - Performance of a contract
We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you. - Legal obligations
We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved. - Vital interests
We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person. - Public interest
We may process your personal information when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested to us as Controller of your personal data. - Legitimate interests
We may process your information when necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child. Legitimate interests include compliance with AML regulations.
7.2 If we receive personal data while delivering our Services to you and it originates from another Data Subject, it is your responsibility to ensure that the contents of this Policy are made known to them. Additionally, you should obtain their consent in the process.
7.3 On certain occasions, it may be suitable for us to merge your information with other data we may possess about you. This could involve associating your name with your geographical location or your browsing and purchasing history.
8. When and with whom we share your personal data
8.1 We may share your personal data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organisation apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct them to.
8.2 We also may need to share your personal information in the following situations:
- Business Transfers
We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. - Affiliates
We may share your information with our affiliates, in which case we will require those affiliates to honour this Policy. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us. - Business Partners
We may share your information with our business partners to offer you certain products, services, or promotions.
9. How long do we keep your personal data
9.1 We will retain personal data for the duration of our relationship and up to five years following the conclusion of our relationship. However, in certain instances, we may be obligated to retain personal data for an extended period of an additional five (in some cases more) years to ensure compliance with legislative and regulatory mandates. We regularly assess our obligations for data retention to ensure that we do not retain data beyond what is legally required.
10. How do we keep your personal data safe
10.1 We employ a range of physical and technical safeguards to protect your personal data and prevent unauthorised access, use or disclosure. Our electronic data and databases are stored on secure computer systems and we control access through both physical and electronic means. Our staff undergoes training in data protection and information security. We have comprehensive security policies, IT infrastructure guidelines, and data protection protocols that follow principles of limiting access to ‘need-to-know’ and granting less- privileged access. We utilise encryption for personal data and implement firewalls, intrusion detection and prevention systems to maintain the confidentiality and security of all your personal information.
10.2 While we take every reasonable measure to ensure the security of your personal data, we cannot guarantee its security during transmission from you to our app, Website, or other Services. We conduct regular system testing and review our policies to ensure that our IT security measures stay ahead of potential threats.
10.3 Data security is of paramount importance to us. To safeguard and secure data collected through our Website, we have established appropriate physical, electronic and organisational procedures and any personal data used for your payments are encrypted for additional security. Moreover, we restrict access to your personal data only to employees, agents, contractors and other third parties who have a legitimate business need to access it. These individuals will process your personal data solely based on our instructions and are bound by strict confidentiality obligations.
10.4 We have also established protocols to address any suspected breaches of personal data and will notify you of any such instances and any relevant regulatory authorities if we are legally obligated to do so.
10.5 As Controller of your personal data, we have performed a Data Protection Impact Assessment (‘DPIA’) where processing of data could result in high risk to clients. The purpose of the DPIA is to determine the necessity and proportionality of processing, including the purposes for which the activity is carried out, the risks for individuals and measures that can be put in place to mitigate those risks. The DPIA is performed every time a new or amended process is implemented which may result in high risk to privacy.
10.6 Despite the security measures we have in place, it is essential to be aware that transmitting data over the internet may not be entirely secure. We recommend that you exercise appropriate precautions when sending data to us via the internet, as there is a potential risk that the transmission may not be entirely secure. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.
11. What are your privacy rights
11.1 When you provide information through our Website, you may be presented with options to limit the utilisation of your personal data. Our objective is to offer you control over how we utilise your personal data, which includes the option to opt-out of receiving emails from us.
11.2 Under the provisions of GDPR, you possess the following rights:
- Request access to your personal data held by us, including the right to deletion or correction, at no expense to you.
- Request the transfer of your personal data to another person (data portability).
- Be informed about the nature of data processing activities.
- Exercise the right to restrict processing.
- Object to the processing of your personal data.
- Lodge a complaint with a supervisory authority.
11.3 Additionally, you have rights pertaining to automated decision-making and profiling. In the event that we employ personal data for automated decision-making purposes, and if these decisions carry a legal or similarly significant impact on you, you possess the right, as per GDPR, to contest such decisions. You can request human intervention, express your viewpoint, and seek an explanation of the decision from us.
11.4 This right does not apply in the following circumstances:
- The decision is necessary for the initiation or fulfillment of a contract between you and us.
- The decision is sanctioned by legal requirements.
- You have explicitly given your consent.
11.5 When we utilise your personal data for profiling objectives, the following principles will be observed:
- We will provide clear information that elucidates the profiling, including its significance and likely consequences.
- We will employ suitable mathematical or statistical methods.
- We will establish technical and organisational measures to minimize the risk of errors and ensure that any errors can be easily rectified.
11.6 All personal data processed for profiling will be safeguarded to prevent any discriminatory consequences resulting from the profiling.
11.7 You retain the right to request that we refrain from processing your personal data for marketing purposes. We will notify you prior to gathering your data if we intend to employ your data for such objectives or if we plan to share your information with any third party for marketing purposes.
11.8 To exercise any of these rights or if you have any inquiries regarding your rights, please reach out to us at support@flyfish.com.
12. Links to other sites
12.1 Please be aware that this Policy does not extend to other websites that you access through links on our Website. We do not have control over the data collection, storage or utilisation practices of other websites. Therefore, we recommend that you review the privacy policies of any such websites before disclosing any data to them.
13. Changes to this Policy
13.1 We may update this Policy from time to time to reflect changes in our practices or for other operational, legal or regulatory reasons. We will inform you directly by email or other means of any significant updates to this Policy.
14. Contact us
If you have any questions about this Policy, please contact us at support@flyfish.com.
15. GDPR Compliance Statement
The General Data Protection Regulation (‘GDPR’) came into force across the European Union on 25 May 2018 and has brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
Our Commitment
Flyfish Ltd are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have a robust and effective data protection program in place which complies with existing law and abides by the data protection principles.
Flyfish Ltd are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for GDPR principles. Our objectives for GDPR compliance have been summarised in this statement and include the development and implementation of data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.