FlightMVPFlightMVP← Back to the map

Privacy Policy

Last updated: 10 June 2026

1. Who we are

FlightMVP ("we", "us") is operated by Kalvis Berzins, a sole trader based in England, United Kingdom, who is the data controller for the personal data described here.

For any privacy matter, including the rights set out below, contact: privacy@flightmvp.com

2. What this policy covers

FlightMVP is an interactive flight-route map and trip-planning website at flightmvp.com. This policy explains what personal data we collect when you use the site or create an account, how we use it, who we share it with, and your rights under UK data protection law.

3. The data we collect

When you create an account: your email address, your display name, and a securely hashed version of your password. If you sign in with Google, we receive your Google email, name, and profile image, plus the authentication tokens Google issues so we can keep you signed in. We record whether your email has been verified.

When you are signed in: to keep your session secure we store a session record that includes your IP address and browser user-agent string, for the lifetime of the session (see Retention).

When you use the site: if you run route searches, activate map overlays, click an onward booking link, or interact with upgrade prompts while signed in, we record the event linked to your account — specifically the airport codes you searched, which overlay you used, which booking partner you clicked, and similar product signals. We do not store free text, message content, or any data beyond those specific fields. We use this to understand how the product is used and to improve it.

Outbound partner clicks (everyone, including when signed out): when anyone clicks through to a booking or comparison partner (for example Skyscanner or Booking.com), we record an anonymous click — only which partner and the route's airport codes, with a timestamp — so we can measure how often these links are used. If you are signed in we also link it to your account (as above); if you are signed out it is not linked to you, and we do not store your IP address. This record contains nothing that identifies a signed-out visitor.

Saved routes (when enabled): if you save a route, we store the airports and trip details you chose, linked to your account. (This feature is currently inactive.)

Preferences in your browser: some settings (theme, remembered passport for the visa overlay, map display options) are stored locally in your browser and are not sent to us as account data. See our Cookie Policy.

Anonymous analytics: we use Plausible, a privacy-focused analytics tool that does not use cookies and does not collect personal data — only aggregate, anonymous traffic statistics.

We do not knowingly collect data from children. The service is not directed at children under 16.

4. How we use your data, and our legal bases

  • To provide your account and the service (email, name, password, sessions, saved routes) — necessary to perform our contract with you.
  • To verify your email and let you reset your password — necessary to operate your account securely.
  • To keep the service secure and prevent abuse (session data, and short-lived rate-limiting of IP addresses) — our legitimate interest in protecting the service and its users.
  • To understand and improve the product (the account-linked usage events described in Section 3) — our legitimate interest in improving FlightMVP. You can object at any time (Section 8).
  • To measure outbound partner-link clicks (the anonymous click record in Section 3) — our legitimate interest in understanding which onward booking links are useful; for signed-out visitors this record cannot identify you.
  • Aggregate, anonymous analytics (Plausible) — our legitimate interest in understanding aggregate site usage (visitor counts, popular pages, traffic sources) to improve the service; this analytics cannot identify you.

5. Who we share data with

We do not sell your personal data. We use the following service providers ("processors") who handle data on our behalf, and some independent third parties:

  • Supabase — hosts our database, located in Ireland (EU), where the data in Section 3 is stored.
  • Hetzner — hosts our application servers, located in Germany (EU).
  • Resend — sends our account emails (verification, password reset, and similar); receives your email address and name. Processing is in the EU (Ireland).
  • Mapbox — renders the interactive map; receives map requests and the IP address inherent to any such request (US-based).
  • Plausible (Plausible Insights OÜ, Estonia, EU) — privacy-focused, cookieless web analytics, with data hosted in the EU. It collects only anonymous, aggregated usage data (page URL, referrer, browser/OS/device type, and the country derived from your IP). Your IP address is used only transiently — to derive your country and a daily-rotating anonymous identifier — and is not stored; no cookies or persistent identifiers are set, so visitors cannot be identified or tracked across sites or across days.
  • Google — only if you choose to sign in with Google.
  • api.country.is — receives your IP address to detect your country, used to pre-select a default passport for the visa overlay.
  • AeroDataBox and Open-Meteo — provide flight and climate data; we send only airport codes and locations, never your personal data.

When you click a booking or comparison link (for example Skyscanner or Booking.com), you leave our site and that third party's own privacy policy applies. We may earn a commission from such links.

6. International transfers

Some of the providers above process data outside the UK and EEA — in particular Mapbox and Google, which are based in the United States. Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards, such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision, as applied by the relevant provider.

7. How long we keep it

  • Account data: until you delete your account. You can delete it at any time (Section 8).
  • Usage events and saved routes: deleted automatically when you delete your account.
  • Sessions (including IP and user-agent): expire after 7 days.
  • Rate-limiting IP data: held only briefly in memory (minutes) and never stored permanently.
  • Server logs: retained for up to 30 days for security and operational purposes.

8. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, or object to our processing of your data, and to data portability.

  • Correct your data and change your email or password in your account settings.
  • Delete your account (and all associated data) yourself in your account settings — this is immediate and permanent.
  • For access to, or a portable copy of, your data, email privacy@flightmvp.com (we currently handle these requests manually).
  • To object to the usage-analytics processing, email us.

You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk).

9. Security

Passwords are stored only as secure hashes, never in plain text. Connections use HTTPS, and account access is protected by secure, http-only session cookies and rate-limiting.

10. Changes

We may update this policy from time to time; the "last updated" date reflects the current version. Material changes will be made prominent on the site.

11. Contact

Questions or requests: privacy@flightmvp.com