This policy explains how FlightForm collects and uses personal data when you use our website and platform. It also sets out, in section 4, exactly how we handle data we receive from Google when you sign in with a Google account.
1. Who we are
FlightForm is a corporate travel management platform operated by SW87 Ventures Ltd (“FlightForm”, “we”, “us”, “our”), a company registered in England and Wales under company number 15919934 with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.
The platform is provided to Travel Management Companies (“TMCs”) so that they can manage travel bookings for their corporate clients and travellers. This policy applies to our marketing website at flightform.app and to the FlightForm application hosted at flightform.io and its subdomains.
2. Our role in your data
FlightForm acts in two different capacities depending on the data involved:
- As a data controller for the information we hold about the people and organisations who hold accounts with us directly, including account and login details, billing contacts, and how the platform is used. We decide how and why this data is processed.
- As a data processor for the traveller and booking information that a TMC and its client companies enter into the platform (for example traveller profiles, passport records, and trip details). For this data the TMC is the controller and we process it on their instructions under our agreement with them. If you are a traveller or booker and have questions about this data, please contact your TMC in the first instance.
3. Information we collect
Account and identity data
When you create or are given an account, we collect your name, email address, role, the organisation you belong to, and authentication details. If you sign in using Google, we receive the information described in section 4. Authentication is handled by our identity provider, Clerk.
Traveller and booking data
To deliver the service, the platform stores travel-related information entered by TMCs, bookers, and travellers. This can include traveller names, dates of birth, contact details, passport and travel-document records, travel preferences, trip itineraries, and approval records. We process this on behalf of the relevant TMC.
Usage and technical data
We collect technical information automatically, such as IP address, browser and device type, pages viewed, and timestamps, to operate, secure, and improve the platform.
4. Google user data
FlightForm’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
When you choose to sign in with Google, we request the minimum scopes required to authenticate you. We receive only your basic profile information, namely your name, email address, and profile picture, together with a unique Google account identifier.
We use this Google user data solely to:
- create and authenticate your FlightForm account;
- identify you within the platform and display your name and profile picture; and
- send you essential service-related communications.
We do not request access to your Gmail, Google Drive, Google Calendar, contacts, or any other Google service, and we do not read, store, or process data from those services. We do not use Google user data for advertising, we do not sell it, and we do not transfer it to third parties except as needed to provide and secure the sign-in feature (for example to our authentication provider) or where required by law. We do not allow humans to read this data unless we have your consent, it is necessary for security or to comply with law, or the data has been aggregated and anonymised.
5. How we use information and our legal bases
Under the UK GDPR we rely on the following legal bases:
- Contract: to provide the platform to you and to the TMC you work with, manage accounts, and deliver support.
- Legitimate interests: to secure the platform, prevent fraud and abuse, understand usage, and improve our service, balanced against your rights.
- Legal obligation: to comply with applicable law, including tax, accounting, and lawful requests from authorities.
- Consent: where we ask for it, such as certain marketing communications. You can withdraw consent at any time.
6. Cookies
We use cookies and similar technologies that are strictly necessary to operate the platform (including keeping you signed in), and, with your consent where required, cookies that help us measure and improve usage. You can manage non-essential cookies through your browser settings or any cookie controls we provide.
7. Sharing and sub-processors
We do not sell personal data. We share it only with service providers who process it on our behalf to run the platform, and only under contracts that require appropriate safeguards. Our principal sub-processors are:
| Provider | Purpose |
|---|---|
| Clerk | Authentication and user management |
| Supabase | Database and file storage |
| Vercel | Application hosting |
| Resend | Transactional email delivery |
| Duffel | Flight and accommodation search and content |
| SerpAPI | Hotel and travel search results |
| Mapbox | Mapping and location display |
| Anthropic | AI-assisted features (for example the trip request assistant) |
| Sign-in with Google (see section 4) |
We may also disclose personal data where required by law, to enforce our agreements, or in connection with a corporate transaction such as a merger or acquisition.
8. International transfers
Some of our sub-processors are based outside the UK. Where personal data is transferred internationally, we rely on appropriate safeguards such as adequacy decisions or the International Data Transfer Agreement and the UK Addendum to the EU Standard Contractual Clauses.
9. Data retention
We keep personal data only for as long as needed for the purposes set out in this policy, to comply with legal obligations, and to resolve disputes. Traveller and booking data is retained in line with our agreement with the relevant TMC; we delete or return it on their instructions or on termination of their account, subject to legal retention requirements.
10. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, row-level database security so that users can only access data they are permitted to see, and regular review of our providers. No system is completely secure, but we work to protect your data and to notify the relevant parties of any breach as required by law.
11. Your rights
Subject to applicable law, you have the right to access, correct, delete, restrict, or object to the processing of your personal data, the right to data portability, and the right to withdraw consent. Where we act as a processor for a TMC, we will pass your request to that TMC. To exercise your rights, contact us using the details below. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).
12. Children
The platform is intended for business use by adults and is not directed at children. We do not knowingly collect personal data from children except where a traveller record is created by a booker for legitimate travel purposes and managed by the responsible adult or organisation.
13. Changes to this policy
We may update this policy from time to time. We will post the updated version here and revise the “last updated” date. Where changes are significant, we will take reasonable steps to notify you.
14. Contact us
For any privacy question or to exercise your rights, contact us at privacy@flightform.app.