Privacy Policy
Last Updated: January 1, 2026
Your privacy matters to us. This Privacy Policy explains how FlyCompensations Ltd collects, uses, shares and protects your personal data when you use the FlyPayout service at flypayout.com.
We are the controller of your personal data: FlyCompensations Ltd, company registration number 21905976, tax ID (PIB) 113643348, with registered office at 17 Makenzijeva, Belgrade, Republic of Serbia. You can reach us about anything in this Policy at support@flypayout.com.
We process personal data in line with the Serbian Law on Personal Data Protection (Official Gazette of RS No. 87/2018, the “LPDP”) and, where we process the data of individuals located in the European Union or the European Economic Area in connection with our services, the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”). The LPDP closely mirrors the GDPR; where we refer to a GDPR article below, the corresponding provision of the LPDP applies in parallel.
We rely mainly on performing our contract with you and on our legal obligations to process your data. We use consent only where the law requires it, namely for marketing messages and non-essential cookies. Using our website does not by itself mean you consent to all processing; each activity has its own legal basis, explained below.
1. The words we use
Personal data. Any information relating to an identified or identifiable individual, such as a name, an identification number, location data or an online identifier.
Processing. Any operation performed on personal data, such as collecting, recording, storing, using, disclosing, transferring, restricting, erasing or destroying it.
Controller. The party that decides why and how personal data is processed. For the purposes of this Policy, that is us, FlyCompensations Ltd.
Processor. A party that processes personal data on our behalf and on our instructions.
Consent. Your freely given, specific, informed and unambiguous agreement to a particular processing of your data.
Personal data breach. A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
You / data subject. The individual whose personal data we process, in particular a user of flypayout.com.
2. Our principles
We handle personal data according to the following principles:
Lawfulness, fairness and transparency. We process data lawfully and fairly, and we tell you how we do it.
Purpose limitation. We collect data only for specific, legitimate purposes and do not use it in ways incompatible with them.
Data minimisation. We collect only what we genuinely need for those purposes.
Accuracy. We take reasonable steps to keep data accurate and up to date, and to correct or delete inaccurate data.
Storage limitation. We keep data only as long as needed, and then delete or anonymise it.
Integrity and confidentiality. We protect data with appropriate technical and organisational measures.
Accountability. We take responsibility for these principles and can demonstrate our compliance.
Legal basis. Every processing activity rests on a clear legal basis: performance of our contract, a legal obligation, our legitimate interest, or your consent. Where we rely on consent, you can withdraw it at any time.
3. Why we process your data, and on what basis
3.1 Providing our service and performing our contract
Our main purpose is to provide the assistance you ask for in claiming compensation for disrupted flights, and to run related features such as the referral program. We use your data to check eligibility, to prepare and submit claims to airlines, authorities or courts, to make payments to you, to manage referral codes, and to communicate with you. The legal basis is the performance of our contract with you (Article 6(1)(b) GDPR).
3.2 Meeting our legal obligations
We must process certain data to comply with the law, including tax and accounting rules, anti-money-laundering and counter-terrorism-financing rules, consumer-protection duties, and lawful requests from authorities. This covers issuing invoices, keeping financial records, and reporting where required. The legal basis is our legal obligation (Article 6(1)(c) GDPR).
3.3 Our legitimate interests
In some cases we process data to protect our IT systems, prevent fraud, improve our service, manage our relationship with you, and establish, exercise or defend legal claims. The legal basis is our legitimate interest (Article 6(1)(f) GDPR), which we weigh against your rights and freedoms, limiting the processing to what is necessary.
3.4 Communication and support
We use your contact details to update you on your claim, answer your questions, and provide technical and administrative support. The basis is the performance of our contract (Article 6(1)(b) GDPR) where the contact relates to our service, or our legitimate interest (Article 6(1)(f) GDPR) where you contact us outside a contract.
3.5 Marketing
We send marketing messages about our service only to people who have agreed to receive them. The legal basis is your consent (Article 6(1)(a) GDPR), which you can withdraw at any time without affecting earlier processing.
3.6 Cookies and similar technologies
We use cookies and similar technologies to run the website, understand how it is used, and personalise content. We rely on your consent for non-essential cookies (Article 6(1)(a) GDPR) and on our legitimate interest for strictly necessary cookies (Article 6(1)(f) GDPR). See the cookies section below.
3.7 Establishing and defending legal claims
We may process your data to exercise or defend our rights in judicial, administrative or out-of-court proceedings. The basis is our legitimate interest (Article 6(1)(f) GDPR), and we share the data only with those involved in the matter, such as lawyers, courts or competent authorities.
4. The data we collect
We collect only what we need for the purposes above, mostly directly from you, and sometimes from authorised sources such as flight-data providers when this is justified.
Identification data. Full name, date of birth, nationality, and, where required by a competent authority or for a legal procedure, identification-document details or a personal identification number.
Contact data. Email address, phone number and, in some cases, your home or residence address.
Flight and booking data. Flight number, operating airline, departure and arrival airports, scheduled date and time, delays or changes, tickets, boarding passes, reservations and other details you share.
Financial data. Bank account holder name, IBAN, SWIFT/BIC, bank details and transaction history related to your payments and our invoicing.
Technical and usage data. IP address, browser type and version, operating system, approximate location from your IP, pages visited and session duration, collected through cookies with your consent.
Correspondence data. The content of your emails and messages to us, plus metadata such as date, time and channel.
Legal-compliance data. Information needed to prevent fraud, meet anti-money-laundering duties, or handle disputes and complaints, including data requested by authorities.
We do not collect special categories of data (such as health, religious, ethnic or political information) unless it is strictly necessary to resolve a claim and we have your explicit consent or another valid legal basis. If you send us such data by mistake, we delete it unless we have a justified legal reason to keep it. If you choose not to give us data we genuinely need, we may be unable to provide part or all of the service.
5. How we use your data
We use your data to deliver and manage your claim (checking eligibility, preparing and submitting documents, communicating with airlines and authorities), to support you, to meet our legal duties, to keep the service secure and improve it, to send marketing where you have agreed, to detect and prevent fraud and security incidents, and to establish, exercise or defend legal claims. We process by electronic means and, where needed, manually, with appropriate security in place.
6. Who we share your data with
We do not sell or rent your personal data. We share it only where necessary, and only as described here.
6.1 Airlines, authorities and other parties to the claim
To pursue your claim, we share relevant data, such as identification data, flight information and supporting documents, with airlines, aviation regulators, courts, arbitrators and other parties involved.
6.2 Lawyers and law firms
Where your claim needs legal action, we share your data with the lawyers and law firms we engage to pursue it in the relevant country. Depending on the engagement and the jurisdiction, they may act as our processors or as independent controllers.
6.3 Banks and payment providers
To pay you and meet our accounting duties, we share financial data such as account holder name, IBAN and transaction details with banks, payment providers and financial institutions.
6.4 Public authorities and regulators
We may share data with authorities, regulators, courts or law-enforcement bodies where there is an official request, a legal obligation, or a legitimate interest in preventing fraud and protecting rights.
6.5 IT and infrastructure providers
We work with hosting, e-signature, flight-data and other technology providers who process data on our behalf, as our processors, under data-processing agreements that require strict security and confidentiality.
6.6 International transfers
As a controller based in Serbia, we may transfer data to recipients in other countries, for example to EU airlines or to service providers abroad. We do so in line with the LPDP rules on international transfers (Articles 64 to 70): to countries or organisations that provide an adequate level of protection (including those on the Serbian list or party to Council of Europe Convention 108), or otherwise with appropriate safeguards such as Standard Contractual Clauses. Where the GDPR applies to a transfer, we use a transfer mechanism valid under the GDPR. We transfer data only where necessary and with appropriate protection in place.
6.7 With your consent
Where sharing is not needed for the contract, a legal obligation or our legitimate interests, we ask for your consent first, for example for certain marketing or partnership purposes.
7. How we keep your data secure
We apply appropriate technical and organisational measures to protect your data. Technical measures include encryption of data in transit and at rest, firewalls and intrusion detection, access control with multi-factor authentication, security monitoring and auditing, and regular backups. Organisational measures include clear internal policies, staff training, confidentiality undertakings, access limited to those who need it, and a security-incident response plan.
If a personal data breach occurs that may affect your rights and freedoms, we will notify the competent supervisory authority, and where required also you, within the deadlines set by law.
8. How long we keep your data
We keep your data only as long as needed for the purposes it was collected for, taking into account our contractual and operational needs, our legal obligations, and the limitation periods relevant to legal claims. In practice:
Identification and contact data: during our relationship and for the limitation and record-keeping period that applies afterwards.
Flight and booking data: as long as needed to resolve the claim, and for the applicable statute-of-limitations period afterwards (in the Republic of Serbia, this is 2 years).
Financial and transaction data: 10 years, in line with tax and accounting rules.
Correspondence: 3 years from our last interaction.
Marketing and other consent-based data: until you withdraw consent, and no longer than 2 years from your last interaction with us.
Technical and cookie data: as set out in the cookie section, from 6 months to 2 years depending on the cookie.
When a period ends, we delete the data or anonymise it so it can no longer be linked to you. If you ask us to delete your data earlier, we will do so unless we have a legal reason to keep it.
9. Your rights
You have the following rights over your data:
Access: to know whether we process your data and to obtain a copy and related information.
Rectification: to have inaccurate or incomplete data corrected or completed.
Erasure: to have your data deleted where there is no longer a valid reason to keep it.
Restriction: to limit how we use your data in certain situations.
Portability: to receive data you gave us in a structured, machine-readable format, and to have it sent to another controller where technically feasible.
Objection: to object to processing based on our legitimate interest, and to object at any time to direct marketing.
Withdraw consent: to withdraw consent at any time, without affecting processing carried out before the withdrawal.
Complaint: to complain to a supervisory authority, as set out below.
To exercise any of these rights, email us at support@flypayout.com. We respond as soon as possible and within 30 days, a period we may extend by a further 60 days for complex or numerous requests, in which case we will tell you. Exercising your rights is free of charge.
10. Automated decision-making
We do not currently make decisions about you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Where we use automated tools to help assess eligibility, the outcome involves human review. If this ever changes, we will update this Policy, inform you, explain the logic involved, and give you the right to obtain human intervention, to express your view, and to contest the decision.
11. Cookies and similar technologies
Cookies are small files stored on your device when you visit a website. They let the site recognise your device and remember information about your preferences and actions.
We use the following types of cookies:
Strictly necessary cookies, needed for the website to work (for example login, forms and security). These cannot be switched off.
Performance and analytics cookies, which show us how the site is used so we can improve it.
Functionality cookies, which remember your choices such as language or settings.
Advertising and targeting cookies, which help us show relevant ads and measure campaigns, and may be set by partners.
Social media cookies, which let you share content on social platforms.
We use tools such as Google Analytics (GA4), Google Tag Manager, Microsoft Clarity and Google Ads. When you first visit, a cookie banner lets you accept all cookies, reject non-essential ones, or set your preferences, which you can change at any time in the cookie settings. You can also manage cookies through your browser. Third-party cookies are governed by the providers’ own policies. Cookies last either for your session or for a set period, from 6 months to 2 years, depending on the cookie.
12. Children’s data
Our service is not intended for children under 15, the age set for valid consent to information-society services under the LPDP, and we do not knowingly collect their data on that basis. We do process a child’s data where it is necessary to handle a claim for a child affected by a disrupted flight; in that case a parent or legal guardian acts on the child’s behalf, provides the data, and gives consent where consent is the basis. We may ask for documents to verify the parent or guardian. Parents and guardians can exercise the rights set out in section 9 on the child’s behalf, and we limit the processing of a child’s data to what is strictly necessary.
13. Complaints
If you have a concern about how we handle your data, please contact us first at support@flypayout.com, or by post to our registered office, so we can try to resolve it. We aim to respond within 30 days.
You also have the right to complain to the supervisory authority. In the Republic of Serbia this is the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti):
Address: Bulevar kralja Aleksandra 15, 11000 Belgrade, Serbia
Website: poverenik.rs
Email: office@poverenik.rs
Phone: +381 11 3408 900
If you are located in the European Union or the European Economic Area, you may also complain to the supervisory authority in your country of residence. You may also seek protection of your rights before the competent courts.
14. Changes to this Policy
We may update this Policy from time to time to reflect changes in the law, our operations or technology. We publish the current version on flypayout.com with the date of the latest update. If the changes are significant, we will tell you by email or a notice on the website, and where the law requires new consent, we will ask for it before processing your data under the new terms.
15. How to contact us
For any question or request about this Policy or your data, contact FlyCompensations Ltd, 17 Makenzijeva, Belgrade, Republic of Serbia, at support@flypayout.com.
