Legal

Privacy Policy

Last updated: 2026-05-20

This Privacy Policy describes how Tech Waves LLC, a Delaware limited liability company (“Tech Waves,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with the FlightPing service available at flightping.xyz and related properties (the “Service”). By using the Service, you consent to the practices described in this Policy. If you do not agree, do not use the Service.

1. Information we collect

(a) Account information. When you sign in via Google OAuth, we receive your name, primary email address, profile image URL, and a Google account identifier. We do not receive or store your Google password.

(b) Service data. Alerts you create (airline, flight number, date, cabin class, seat preferences, adjacency settings), the results of availability checks we perform on your behalf, and the email events we send to you (sent, delivered, opened where reported by Resend).

(c) Billing information. If you subscribe to a paid plan, Stripe, Inc. collects and stores your payment-card and billing-address information directly; we receive only a Stripe customer ID, the price/plan you purchased, the subscription status, period end date, and the last four digits of the card for display in the billing portal. We never see or store your full card number.

(d) Technical & usage data. Standard server logs (IP address, user-agent, timestamp, requested URL) retained for a short period to operate and secure the Service. Product analytics via PostHog (page views and a small set of product events such as sign-up, alert creation, and upgrade clicks); PostHog is configured without session replay.

(e) Cookies. We set strictly necessary cookies for authentication (Auth.js session cookie) and CSRF protection. We do not use cross-site tracking cookies or third-party advertising cookies.

What we do not collect. We do not collect passwords, precise location, phone numbers, government IDs, or sensitive categories of personal data (e.g., health, race, religion, sexual orientation, biometric data).

2. How we use information

We use the information described above to: (i) operate and provide the Service, including running availability checks and delivering alert emails; (ii) process payments, manage subscriptions, and provide customer support; (iii) detect, prevent, and respond to fraud, abuse, and security incidents; (iv) understand product usage and improve the Service; (v) communicate with you about service announcements, billing, and material changes to our terms or policies; and (vi) comply with applicable legal obligations.

We do not use your data to train machine-learning models, and we do not sell your personal information.

3. Legal bases for processing (GDPR/UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases: performance of a contract (to provide the Service you signed up for); legitimate interests (security, fraud prevention, product analytics, direct service communications); consent (where required, such as for non-essential cookies); and compliance with a legal obligation (e.g., tax records).

4. Sharing & sub-processors

We share personal data only with service providers acting on our behalf under appropriate contractual safeguards:

• Google LLC — sign-in / OAuth.
• Neon, Inc. — managed Postgres database hosting.
• Vercel Inc. — web application hosting and edge network.
• Stripe, Inc. — payment processing and subscription management.
• Resend, Inc. — transactional email delivery.
• PostHog, Inc. — privacy-respecting product analytics.

We may also disclose information: (i) to comply with applicable law, lawful process, or governmental request; (ii) to enforce our Terms or protect the rights, property, or safety of Tech Waves, our users, or the public; or (iii) in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business, in which case affected users will be notified.

We do not sell your personal informationand we do not “share” it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (“CCPA”) as amended by the CPRA.

5. International data transfers

Tech Waves is based in the United States, and our sub-processors may process data in the U.S. and other countries. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or applicable equivalents.

6. Retention

We retain account and alert data for as long as your account is active. If you delete your account, we delete or anonymize personal data within thirty (30) days, except for records we are legally required to retain (e.g., Stripe invoices for tax purposes, fraud-prevention logs). Aggregated or de-identified data that cannot reasonably be linked to you may be retained indefinitely.

7. Your rights

Depending on where you live, you may have the right to: (a) access the personal data we hold about you; (b) correct inaccurate data; (c) request deletion; (d) object to or restrict certain processing; (e) data portability; (f) withdraw consent where processing is based on consent; and (g) lodge a complaint with a supervisory authority. California residents have additional rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of any “sale” or “sharing” of personal information (which we do not do). We do not discriminate against users who exercise their privacy rights.

To exercise any of these rights, email privacy@flightping.xyz from the email address associated with your account. We will respond within the time required by applicable law (typically 30–45 days). We may need to verify your identity before fulfilling certain requests.

8. Security

We use industry-standard administrative, technical, and physical safeguards intended to protect your information, including encryption in transit (HTTPS/TLS), encryption at rest at our managed providers, restricted internal access, and principle-of-least-privilege credentials. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your Google account secure.

9. Children

The Service is not directed to children under thirteen (13), and we do not knowingly collect personal information from anyone under that age. If you believe a child has provided us personal information, please contact us and we will promptly delete it.

10. Do Not Track

We do not currently respond to browser-based “Do Not Track” signals because no industry standard for them exists. We do not engage in cross-site tracking for advertising.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-app notice prior to taking effect, and the “Last updated” date above will be revised. Your continued use of the Service after a change becomes effective constitutes acceptance of the revised Policy.

12. Contact

Data controller: Tech Waves LLC, a Delaware limited liability company.
Privacy requests: privacy@flightping.xyz
General contact: support@flightping.xyz