GDPR Compliance
Last updated July 3, 2026
Last updated: 1 July 2026
AirportFusion is operated from the European Union and is committed to full compliance with Regulation (EU) 2016/679 (GDPR). This page summarises our compliance framework. For the complete picture of what we process and why, read our Privacy Policy.
1. Our role
- For the website and traveller accounts, AirportFusion is the data controller.
- For the public API, when your application forwards personal data of your own end users (for example addresses they type), you are the controller and AirportFusion acts as your processor, processing that data solely to execute searches on your behalf.
2. Data protection principles we apply
- Data minimisation — we collect only what the Service needs. Anonymous search works without an account.
- Pseudonymisation and anonymisation — IP addresses are irreversibly hashed before storage; analytics sessions use random identifiers; AI requests contain no account identifiers.
- Storage limitation — every data category has a defined retention period (see § 6).
- Security by design — TLS in transit, encrypted secrets at rest, bcrypt password hashing, role-based admin permissions, audit logging of administrative actions.
- Transparency — this page, the Privacy Policy and the Cookie Policy describe all processing in plain language.
3. Processors and sub-processors
| Processor | Purpose | Location / transfer mechanism | | --- | --- | --- | | Stripe | Payments, subscriptions, invoicing | US/EU — EU–US Data Privacy Framework, SCCs | | OpenAI | AI route recommendations (pseudonymised search context only) | US — SCCs; API data not used for model training | | Email delivery provider | Transactional email | EU or DPF/SCC-covered | | Hosting / database provider | Application infrastructure | EU |
We maintain Article 28 data processing agreements with each processor and review this list before adding new ones.
4. International transfers
Where data leaves the EEA (Stripe, OpenAI), transfers rely on adequacy decisions (EU–US Data Privacy Framework) and/or Standard Contractual Clauses, with supplementary technical measures (pseudonymisation, minimisation) applied to the transferred data.
5. Your rights and how to exercise them
Under Articles 15–22 GDPR you can request:
- Access — a copy of the personal data we hold about you;
- Rectification — correction of inaccurate data (much of it editable directly in your account);
- Erasure — deletion of your account and associated personal data;
- Restriction — limiting processing while a dispute is resolved;
- Portability — your account and search data in a machine-readable format;
- Objection — to processing based on legitimate interests, including analytics;
- Withdrawal of consent — at any time, for consent-based processing such as optional cookies.
Send requests to the support email published on this site from the address linked to your account (or with equivalent proof of identity). We respond within one month, extendable by two further months for complex requests, in which case we will tell you why.
You also have the right to lodge a complaint with a supervisory authority — in France, the CNIL (www.cnil.fr), or the authority of your habitual residence.
6. Retention schedule (summary)
| Data | Retention | | --- | --- | | Account data | Life of the account + 30 days | | Search logs | Up to 24 months, then deleted or anonymised | | Analytics events | Up to 14 months | | API usage records | Up to 36 months (billing evidence) | | Invoices | 10 years (legal obligation) | | Email logs | Up to 12 months | | Audit logs | Up to 24 months |
7. Personal data breaches
We maintain an incident-response procedure. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Article 33) and affected users without undue delay (Article 34).
8. Data Protection Officer
If a DPO is appointed, their contact details are published here and reported to the supervisory authority. Until then, privacy matters are handled by our privacy team at the support email published on this site.