Privacy Policy

FlightIQ is a product of Two Brains LLC, a Delaware limited liability company located at 8 The Green #14095, Dover, DE 19901, United States. This policy explains how we collect, use, share, retain, and protect information when you use FlightIQ.

Account and profile data

This may include your name, email address, authentication information managed through our auth provider, saved preferences, loyalty programs, card programs, nationality, and traveler profile details you choose to provide.

Search, recommendation, and booking activity

We may store flight searches, result interactions, filters, AI assistant conversations, booking attempts, reservation details, and support history to operate the service and improve it.

Passenger and booking data

When you book, we may process passenger names, dates of birth, contact information, itinerary details, airline references, and transaction metadata needed to create and support the reservation.

Device and usage data

We may collect IP address, browser type, device information, operating system, referrer, session identifiers, interaction events, approximate geolocation, and diagnostic data.

• Operate account, search, recommendation, booking, and support features.
• Personalize scores, Smart Picks, AI responses, and product surfaces using the profile data you provide.
• Process payments, complete bookings, send confirmations, and manage reservation support.
• Monitor fraud, abuse, account misuse, and booking/payment risk.
• Debug, analyze, and improve product performance, reliability, and quality.
• Comply with legal obligations, enforce terms, and respond to lawful requests.

We share information only as reasonably necessary to operate or support the service.

• Duffel and similar providers: search, booking, passenger, and reservation-support data.
• Airlines and travel suppliers: passenger and itinerary details required to ticket and operate travel.
• Stripe and payment partners: payment processing, authentication, fraud screening, and transaction support. We do not receive or store your full card number, expiration, or CVC.
• Supabase and infrastructure vendors: authentication, storage, and hosting.
• Resend and email providers: transactional and support email delivery.
• Google Gemini and AI vendors: prompts and contextual travel data needed to generate AI responses, with direct personal identifiers minimized where practical.
• PostHog and analytics providers: usage events, session data, device information, and approximate location used to analyze product performance and improve the service, subject to any consent preferences you set.

We do not sell or share your personal information for monetary or other valuable consideration as those terms are defined under applicable privacy laws.

FlightIQ uses third-party payment flows, including Stripe and Duffel-powered components, to process card payments. Card data is entered into secure hosted payment elements and sent directly to the relevant payment processor. We may receive limited transaction metadata such as status, amount, currency, network, and last four digits to support bookings and resolve issues.

We use browser storage and similar technologies to maintain sessions, preserve preferences, cache selected results, hold booking context, and support core app behavior.

We use PostHog for product analytics. PostHog may set cookies and collect usage events, session data, device characteristics, and approximate location to help us understand how the product is used and where it can be improved.

Where required by law (for example, in the European Economic Area and United Kingdom), we obtain your consent before enabling non-essential analytics. You can manage your preferences through the cookie consent controls presented when you first visit the site, or at any time through your browser settings.

• Account and profile data may be retained while your account remains active and as needed for support, legal compliance, and enforcement.
• Booking and transaction records may be retained longer where needed for fraud prevention, accounting, audit, legal obligations, disputes, or provider requirements.
• Search and interaction history may be retained for product improvement, support, and abuse prevention.

The following retention guidance describes our typical practice. Actual periods may be longer where applicable law, tax, accounting, fraud-prevention, dispute, or provider-contract obligations require, or shorter where you exercise an applicable deletion right:

• Account and profile data: duration of your active account, plus up to 12 months after deletion for legal, security, and enforcement purposes (longer if required by law).
• Booking, ticketing, and transaction records: up to 7 years for tax, accounting, audit, fraud-prevention, and dispute-resolution purposes.
• Payment metadata (e.g. amount, currency, last four digits, authorization status): up to 7 years, or as our payment providers require.
• Search, recommendation, and interaction events: up to 24 months in identifiable form for product improvement; aggregated or de-identified analytics may be retained longer.
• AI assistant conversations: up to 24 months in identifiable form for support, quality, and abuse prevention; shorter retention where required by vendor or law.
• Audit, access, and security logs: up to 24 months.
• Consent and communication-preference records: retained for as long as needed to demonstrate compliance.

When you request account deletion, we will process the request within 30 days. Certain records (such as booking, transaction, and fraud-prevention data) may be retained as required by law or provider obligations, but personal profile data will be removed or anonymized.

We use administrative, technical, and organizational safeguards intended to protect information. Sensitive profile and passenger data stored by the product is encrypted at rest when applicable, and data is transmitted over HTTPS/TLS. No system can be guaranteed perfectly secure, so we cannot promise absolute security.

In the event of a data breach that poses a risk to your rights, we will notify affected users and relevant authorities in accordance with applicable law.

Your information may be processed or stored in countries other than your own by us or our service providers, including the United States. By using FlightIQ, you acknowledge that those transfers may occur subject to applicable law and provider safeguards.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent mechanisms, together with supplementary technical and organizational measures as we reasonably determine necessary. You may request a summary of the transfer mechanism we rely upon for a given processing activity by emailing contact@flightiq.ai.

• You may view or update certain profile information in the app.
• You may request account deletion, subject to records we must retain for legal, booking, fraud, or accounting purposes.
• You may request access to or export of certain stored information by contacting us.
• You may unsubscribe from promotional or optional emails where an unsubscribe mechanism is provided.

To make a privacy request, email contact@flightiq.ai.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional rights and disclosures apply under the General Data Protection Regulation (GDPR) and UK GDPR.

Lawful basis for processing

We process your personal data on the following bases:

• Contract performance: to operate your account, process bookings, manage reservations, and deliver the services you request.
• Legitimate interest: to improve the product, prevent fraud, ensure security, and conduct analytics — balanced against your privacy rights.
• Consent: for non-essential analytics (such as PostHog) and any optional communications, which you may withdraw at any time.
• Legal obligation: to comply with applicable laws, regulations, and lawful requests.

Your rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your personal data (right to be forgotten), subject to legal retention requirements.
• Restrict processing in certain circumstances.
• Data portability: receive your data in a structured, commonly used format.
• Object to processing based on legitimate interest, including profiling.
• Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.

Automated decision-making

FlightIQ uses algorithmic scoring (the FlightIQ Score) to rank and recommend flights. This scoring is informational and does not produce legal effects or similarly significant effects on you. You are free to disregard the scores and select any flight. No booking, pricing, or access decision is made solely by automated means.

Supervisory authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU or UK member state where you reside, work, or where the alleged violation occurred.

To exercise any of these rights, contact us at contact@flightiq.ai. We will respond within 30 days, or as required by applicable law.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of information collected

In the preceding 12 months, we may have collected: identifiers (name, email, IP address), commercial information (booking and transaction records), internet and electronic network activity (usage data, search history, device data), geolocation data (approximate location), and inferences (preferences, scores).

Sensitive personal information (SPI)

Certain categories of personal information we process may qualify as "sensitive personal information" under the CPRA, including passport or government-issued identification numbers, nationality or citizenship, precise geolocation in limited cases, and account credentials when combined with access to the account. We process SPI only for purposes reasonably necessary to provide the service — for example, to complete and ticket a booking, comply with government travel or security requirements, support you on an itinerary, prevent fraud, and protect the security and integrity of the service. We do not use SPI for purposes other than those permitted by applicable law, and we do not sell or share SPI for cross-context behavioral advertising.

Your rights

• Right to know: request what categories and specific pieces of personal information we have collected, used, disclosed, or sold.
• Right to delete: request deletion of personal information we have collected, subject to legal exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will provide an opt-out mechanism.
• Right to limit use of sensitive personal information: you may ask us to limit use of SPI to that necessary to deliver the service you requested.
• Right to non-discrimination: we will not deny service, charge different prices, or provide a different quality of service because you exercise your privacy rights.

Opt-out preference signals (Global Privacy Control)

For California, Colorado, and other US states that recognize opt-out preference signals, we honor recognized browser-based signals (including Global Privacy Control, or "GPC") as an opt-out of any sale of personal information and of sharing for cross-context behavioral advertising when received from your browser, to the extent applicable to us.

To exercise these rights, contact us at contact@flightiq.ai. We will verify your identity and respond within 45 days, or as required by applicable law.

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Tennessee (TIPA), or another US state that has enacted a comprehensive consumer privacy law, you may have rights similar to those described above, which may include: the right to access or know, the right to delete, the right to correct, the right to data portability, the right to opt out of the sale of personal information, the right to opt out of targeted advertising, and the right to opt out of certain types of profiling that produce legal or similarly significant effects.

To exercise a state privacy right, email contact@flightiq.ai. We will verify your identity and respond within the timeframe required by applicable law (typically 30 to 45 days, with one extension where permitted). If we decline a request, we will explain why and, where required, provide you with information on how to appeal our decision. We do not sell your personal information for monetary consideration and do not use it for targeted advertising or profiling that produces legal or similarly significant effects.

FlightIQ uses artificial intelligence, including large language models provided by third-party vendors, to power search understanding, conversational assistance, itinerary analysis, and recommendations. Outputs generated by these systems are clearly presented as AI-assisted and are not a substitute for airline-issued information, legal advice, or official immigration, health, or safety guidance.

No booking, pricing, refund, eligibility, or account-access decision is made solely by automated means. Scoring and recommendations are informational, and you can always request human review by contacting contact@flightiq.ai. Where applicable, this disclosure is intended to satisfy transparency obligations under laws such as the EU AI Act.

FlightIQ is not directed to children under 13. We do not knowingly create standalone accounts for children. Booking-related traveler information for minors may be processed only when supplied by an adult in connection with a booking.

We may update this policy from time to time. If changes are material, we may provide notice by email, in-product prompt, or other reasonable means. The effective date above reflects the latest version.

Questions about this policy? Contact us at contact@flightiq.ai or write to:

Two Brains LLC
8 The Green #14095
Dover, DE 19901
United States