Privacy Policy
Last updated: February 24, 2026
1. Data Controller
The data controller responsible for your personal data is:
- Company: [COMPANY LEGAL NAME]
- Registered address: [REGISTERED ADDRESS]
- Email: eleonora.fantinato@walljetcargo.com
For the purposes of the EU General Data Protection Regulation ("GDPR"), the data controller is the entity identified above.
2. Personal Data We Collect
We collect and process the following categories of personal data when you use our platform:
2.1 Account & Registration Data
- Full name and surname
- Email address
- Password (stored in hashed form only)
- Phone number (with international dialing code)
2.2 Company Information
- Company legal name
- Company address (street, house number, town, postcode)
- Country of registration
- European VAT number (for EU-based companies)
- Tax ID / Local VAT number (for non-EU companies)
- Account type (Operator / GSA or Broker)
- Empty legs email address (for operators only)
2.3 Payment Data
- Stripe customer identifier
- Payment transaction records (amount, currency, status, date)
- Subscription status and expiration date
Your credit card details are processed exclusively by Stripe, Inc. and are never stored on our servers. Please refer to Stripe's Privacy Policy for more information.
2.4 Technical & Session Data
- IP address
- Browser type and user agent string
- Session tokens and expiration timestamps
3. Purposes and Legal Basis for Processing
We process your personal data for the following purposes and legal bases under Article 6 of the GDPR:
| Purpose | Legal Basis |
|---|---|
| Creating and managing your user account | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Providing access to empty leg flight listings | Performance of a contract (Art. 6(1)(b)) |
| Admin review and approval of registrations | Legitimate interest (Art. 6(1)(f)) — platform integrity and fraud prevention |
| Recording IP address and user agent for session security | Legitimate interest (Art. 6(1)(f)) — security and abuse prevention |
| Complying with tax and accounting obligations | Legal obligation (Art. 6(1)(c)) |
4. Data Sharing and Third-Party Processors
We share your personal data only with the following categories of recipients, all of whom are bound by data processing agreements:
- Stripe, Inc. (San Francisco, USA) — Payment processing. Stripe is certified under the EU-US Data Privacy Framework. See Stripe's Privacy Policy.
- Hosting provider — Our application and database are hosted on servers located within the European Economic Area (EEA).
We do not sell, rent, or trade your personal data to any third party. We do not use any analytics or advertising tracking services.
5. International Data Transfers
Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred to third countries (e.g., to Stripe in the United States), such transfers are protected by:
- The EU-US Data Privacy Framework adequacy decision
- Standard Contractual Clauses (SCCs) approved by the European Commission
6. Cookies and Similar Technologies
Our platform uses only strictly necessary cookies required for the operation of the service:
| Cookie | Purpose | Duration |
|---|---|---|
| better-auth.session_token | Authentication session — keeps you logged in | Session / 7 days |
Since we only use strictly necessary cookies, no consent banner is required under ePrivacy Directive Article 5(3) and GDPR Recital 47. We do not use any analytics, advertising, or third-party tracking cookies.
7. Data Retention
We retain your personal data for the following periods:
- Account data: For the duration of your account, plus 30 days after account deletion to allow for recovery if requested.
- Payment and invoicing records: 10 years from the date of the transaction, as required by Italian and EU tax regulations (D.P.R. 600/1973, Art. 22 D.P.R. 633/1972).
- Session and security logs (IP address, user agent): Automatically deleted upon session expiration or 12 months, whichever comes first.
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR. You may exercise them by contacting us at eleonora.fantinato@walljetcargo.com:
- Right of access (Art. 15): Obtain confirmation of whether your data is being processed and request a copy of it.
- Right to rectification (Art. 16): Request correction of inaccurate personal data.
- Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction (Art. 18): Request limitation of processing in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
We will respond to your request within 30 days. If the request is complex, this period may be extended by an additional 60 days, in which case we will inform you.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Passwords stored using industry-standard cryptographic hashing (bcrypt)
- Access controls and role-based permissions for administrative functions
- Rate limiting on authentication and API endpoints to prevent abuse
- Credit card data processed exclusively by PCI DSS Level 1 certified Stripe infrastructure
10. Children's Privacy
Our platform is a B2B service intended for business professionals. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that data has been collected from a minor, we will take steps to delete it promptly.
11. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Italy, the competent authority is:
- Garante per la protezione dei dati personali
- Piazza Venezia 11, 00187 Roma, Italy
- Website: www.garanteprivacy.it
- Email: garante@gpdp.it
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated "Last updated" date. If changes are significant, we will notify registered users via email.
13. Contact Us
For any questions or requests regarding this Privacy Policy or your personal data, please contact:
- Email: eleonora.fantinato@walljetcargo.com
- Address: [COMPANY LEGAL NAME], [REGISTERED ADDRESS]