Privacy Policy

This Privacy Policy explains how Tailwind Ltd ("Tailwind", "we", "us", "our") collects, uses, and protects your personal data when you use our fare monitoring and auto-rebook service. Tailwind Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Registered Office: Lisbon, Portugal Contact: privacy@tailwind.com

We collect and process the following categories of personal data: (a) Identity Data: Full legal name, gender, date of birth. (b) Contact Data: Email address, phone number, postal address. (c) Travel Document Data: Passport number, nationality, passport expiry date (required for flight bookings). (d) Payment Data: Payment card details (processed and stored securely by Stripe; we do not store full card numbers). (e) Flight Data: Booking references (PNRs), flight details, fare information, cabin class, airline, dates of travel. (f) Technical Data: IP address, browser type, device information, session cookies. (g) Usage Data: Feature usage patterns, alert preferences, rebook history.

We process your personal data on the following legal bases: (a) Contract Performance: Processing necessary to provide the Service you have signed up for, including fare monitoring, alert delivery, and rebook execution. (b) Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Service, fraud prevention, and internal analytics, where these interests are not overridden by your rights. (c) Consent: Where required, we obtain your explicit consent for specific processing activities such as marketing communications. You may withdraw consent at any time. (d) Legal Obligation: Processing required to comply with applicable laws, regulations, or legal proceedings.

Your personal data is used for the following purposes: (a) Fare Monitoring: We use your flight booking data to check current fares against your existing reservation. (b) Alerts: We use your contact details to send price drop notifications via your preferred channel (SMS, email, or push). (c) Rebook Execution: We use your identity, travel document, and payment data to execute rebooks on your behalf via the Duffel API. (d) Invoicing: We use your identity and payment data to generate invoices and process fee payments. (e) Account Management: We use your profile data to manage your account and preferences. (f) Service Improvement: We use anonymised usage data to improve and optimise the Service.

We share your personal data with the following third-party processors, strictly as necessary to provide the Service: (a) Duffel (Duffel Technology Ltd, UK): Flight search, booking, and rebook execution. Duffel processes your flight and identity data. (b) Stripe (Stripe Inc, US): Payment processing. Stripe processes your payment card data under PCI DSS Level 1 compliance. (c) Twilio (Twilio Inc, US): SMS delivery for price alerts. Twilio processes your phone number and message content. (d) SendGrid (Twilio SendGrid, US): Email delivery for alerts and invoices. SendGrid processes your email address. We do not sell your personal data to any third party. We do not share your data with any third party for their own marketing purposes.

We retain your personal data for as follows: (a) Account Data (name, email, phone, preferences): For the duration of your account plus 6 years after account closure, as required for tax and legal compliance purposes. (b) Flight and Booking Data: 90 days after the departure date of the relevant flight. (c) Payment Transaction Records: 6 years from the date of transaction, as required by UK tax legislation. (d) Technical and Usage Data: 12 months from the date of collection. Upon expiry of the retention period, data is securely deleted or anonymised.

Under UK GDPR, you have the following rights regarding your personal data: (a) Right of Access: You may request a copy of the personal data we hold about you. (b) Right to Rectification: You may request correction of inaccurate or incomplete data. (c) Right to Erasure: You may request deletion of your data where there is no compelling reason for continued processing. (d) Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format. (e) Right to Object: You may object to processing based on legitimate interest. (f) Right to Restrict Processing: You may request restriction of processing in certain circumstances. To exercise any of these rights, please contact us at privacy@tailwind.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Tailwind uses minimal cookies, limited to: (a) Session Cookies: Essential cookies required to maintain your authenticated session. These expire when you close your browser or after 24 hours of inactivity. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

Some of our third-party processors are based outside the UK: (a) Duffel: Based in the UK. No international transfer. (b) Stripe: Based in the US. Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. (c) Twilio / SendGrid: Based in the US. Transfers are protected by Standard Contractual Clauses (SCCs). All international transfers comply with Chapter V of UK GDPR and are subject to appropriate safeguards.

If you have any questions about this Privacy Policy or our data processing practices, please contact our Data Protection Officer: Email: privacy@tailwind.com Tailwind Ltd Lisbon, Portugal This Privacy Policy was last updated on 1 March 2026.