Privacy Policy

Last updated July 3, 2026

Last updated: 1 July 2026

AirportFusion ("AirportFusion", "we", "us") operates an address-to-address direct-flight search service available at this website and through our public API (together, the "Service"). This Privacy Policy explains what personal data we process, why, on which legal bases, and which rights you have. We are established in the European Union and process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR").

1. Data controller

AirportFusion is the data controller for the processing described in this policy. You can reach our privacy team at the support address published on this site (see the Contact page). If we appoint a Data Protection Officer, their contact details will be published on our GDPR page.

2. Data we collect

2.1 Data you give us

  • Account data — email address, name (optional), password (stored only as a bcrypt hash, never in plain text), preferred language and country.
  • Developer profile data — company name, website and intended API use case, if you request API access.
  • Support communications — the content of emails or messages you send us.

2.2 Data created when you use the Service

  • Search queries — the origin and destination text you enter, the resolved coordinates, chosen radii, travel date and passenger count. Searches made while signed in are linked to your account; anonymous searches are linked only to a random session identifier.
  • Usage analytics — page views, clicks, funnel steps, device type, browser, operating system, referrer and UTM parameters. Analytics are designed to be privacy-preserving: IP addresses are never stored in raw form — they are irreversibly hashed before storage and used only for abuse prevention and rough deduplication.
  • API usage — endpoint, HTTP status, latency and monthly request counters per API key, used for quota enforcement and billing.
  • Affiliate click logs — when you click a partner link (see our Affiliate Disclosure), we record which partner was clicked, the search it came from, your locale and a hashed IP.

2.3 Data from third parties

  • Payments — subscriptions are processed by Stripe. We never see or store your full card number; Stripe sends us only the subscription status, invoice metadata and a customer reference.

3. AI processing of search context

When the optional AI recommendation feature is enabled, a compact, pseudonymised summary of your search results (airport names, route durations, estimated costs — never your name, email or account identifiers) is sent to OpenAI to generate a route recommendation. This processing happens only to answer the search you just ran. OpenAI acts as a processor under its data processing terms and, under our API configuration, does not use this data to train its models. You can use the Service fully without the AI feature.

4. Purposes and legal bases

| Purpose | Legal basis (GDPR Art. 6) | | --- | --- | | Providing search results and operating your account | Contract (6(1)(b)) | | Billing, invoicing, subscription management via Stripe | Contract (6(1)(b)) and legal obligation (6(1)(c)) | | Anonymised usage analytics and service improvement | Legitimate interest (6(1)(f)) | | AI route recommendations | Legitimate interest (6(1)(f)); feature can be disabled | | Affiliate click attribution | Legitimate interest (6(1)(f)) | | Abuse prevention, rate limiting, security logging | Legitimate interest (6(1)(f)) | | Transactional emails (welcome, billing, security) | Contract (6(1)(b)) | | Non-essential cookies, if any | Consent (6(1)(a)) |

5. Sharing and processors

We do not sell personal data. We share data only with processors needed to run the Service:

  • Stripe — payment and subscription processing.
  • OpenAI — AI route recommendations (pseudonymised search context only).
  • Email delivery provider (SMTP) — transactional email delivery.
  • Hosting and database infrastructure providers — running the application.
  • Affiliate partners — when you click an outbound partner button you leave our Service; the partner's own privacy policy then applies. We pass no personal data in those links beyond what is technically required (e.g. destination city, travel date).

Each processor is bound by a data processing agreement under Article 28 GDPR.

6. International transfers

Some processors (e.g. Stripe, OpenAI) are located in the United States. Transfers rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses with supplementary measures where required.

7. Retention

  • Account data — kept while your account is active; deleted or anonymised within 30 days of account deletion.
  • Search logs — kept up to 24 months for product analytics, then deleted or fully anonymised.
  • Analytics events — kept up to 14 months.
  • API usage records — kept up to 36 months for billing evidence.
  • Invoices and billing records — kept 10 years as required by EU accounting law.
  • Email logs — kept up to 12 months.
  • Audit logs — kept up to 24 months for security purposes.

8. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time (without affecting prior processing). Write to our support email to exercise any right; we respond within one month. You may also lodge a complaint with your local supervisory authority — in France, the CNIL (www.cnil.fr).

9. Security

We protect data with encryption in transit (TLS), encryption at rest for stored secrets, bcrypt password hashing, hashed IP addresses, role-based admin access controls and audit logging of administrative actions.

10. Children

The Service is not directed at children under 16 and we do not knowingly collect their data.

11. Changes

We may update this policy. Material changes will be announced on this page with a new "last updated" date, and — for significant changes — by email to registered users.