Privacy policy

Last updated : 2026-06-15

Baseline document to complete and have validated by legal counsel before final publication. Every TODO_FOUNDER_REVIEW placeholder must be filled in and every “to be confirmed” point verified.

This policy describes how NoFlyer processes personal data of owners (customers) and of visitors to public property pages (“guests”).

Data controller

TODO_FOUNDER_REVIEW (controller entity and contact details).

Owner data

  • Account: e-mail address, password (stored hashed), role.
  • Property: public descriptive information and uploaded media.
  • Billing: subscription and payments handled via the payment provider (Stripe). NoFlyer does not store card numbers.
  • Support: assistance requests and exchanges.

Guest data (public pages)

  • Viewing of a property public page accessed by link / QR code.
  • Technical logs: hashed IP address (never in clear text), user agent, timestamp.
  • Chatbot usage: questions asked, limited to the property public context.
  • Wi-Fi code display: revealed only on the visitor's explicit request.

Purposes

  • Provide and operate the NoFlyer service.
  • Ensure security and prevent abuse and fraud.
  • Manage subscription and billing.
  • Provide support and improve the service.

Legal bases (to be confirmed)

  • Performance of the contract for owner account and billing data.
  • Legitimate interest for security and minimised technical logs.
  • Consent where relevant, should any optional processing be introduced later.

Recipients and processors (to be confirmed)

  • Infrastructure hosting provider: TODO_FOUNDER_REVIEW.
  • Stripe, for payment and subscription processing.
  • OpenAI, for the chatbot limited to the property public context (only if the feature is enabled).
  • Transactional e-mail provider: TODO_FOUNDER_REVIEW (if applicable).

Transfers outside the European Union (to be confirmed)

Some processors (notably Stripe and OpenAI) may involve data transfers outside the European Union, governed by appropriate safeguards such as standard contractual clauses. The exact list and associated safeguards are to be confirmed.

Retention periods (to be confirmed)

  • Account data: for the duration of the contract, then deletion / anonymisation within a period to be confirmed.
  • Technical logs: limited duration to be confirmed.
  • Billing data: retained according to applicable legal and accounting obligations.

Your rights

Under the GDPR, you have rights of access, rectification, erasure, objection, restriction and portability. To exercise these rights, contact TODO_FOUNDER_REVIEW (e-mail). Requests are handled following the documented internal procedure (see the DSAR runbook).

Complaint

You may lodge a complaint with the competent supervisory authority (in France, the CNIL, www.cnil.fr) if you consider that your rights are not respected.

Security

NoFlyer applies technical measures such as transport encryption, password hashing, and log minimisation and redaction (no clear-text IP, no secret or password logged).

Data protection officer (where applicable)

TODO_FOUNDER_REVIEW (DPO contact details if a DPO is appointed).