Privacy Policy

At gone. ("we," "us," "our," or "gone."), we believe that privacy is a fundamental right. This Privacy Policy explains in detail how gone. SRL, a company incorporated and registered in Romania, collects, uses, stores, shares, and protects your personal information when you access or use our website, mobile applications, and flight deal alert service (collectively, the "Service").

gone. operates under the laws of Romania and is fully committed to compliance with the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Romanian Data Protection Law No. 190/2018, and all other applicable data protection legislation. We act as the data controller for the personal data processed through the Service.

By creating an account, subscribing to any plan, or otherwise using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.

1. Information We Collect

We collect information in several ways: directly from you when you provide it, automatically when you interact with our Service, and occasionally from third-party sources. Below is a comprehensive overview of the categories of information we collect.

1.1 Information You Provide Directly

When you create an account, subscribe to a plan, update your preferences, or contact us, you may provide the following information:

• Account registration information: Your full name, email address, and a password that you create. Your password is cryptographically hashed using bcrypt before storage; we never store your password in plain text.
• Travel preferences: Your preferred departure airport(s) from our supported Romanian airports (OTP, CLJ, TSR, IAS, SBZ, CRA, BCM, OMR, SUJ), preferred destination regions or specific cities, budget ranges, travel date flexibility, trip duration preferences, and any other flight preference settings you configure within the Service.
• Communication preferences: Your chosen notification channels (email, push notifications, and SMS for Max plan subscribers), notification frequency, and whether you opt in to receive promotional communications from us.
• Payment information: When you subscribe to a paid plan (Pro at €4.99/month or Max at €14.99/month), payment is processed securely by our third-party payment processor, Stripe, Inc. We do not directly collect, store, or process your full credit card number, debit card number, or bank account details. Stripe provides us with limited transaction information, including the last four digits of your card, card brand, expiration date, billing country, and transaction identifiers, which we store to manage your subscription and provide billing support.
• Phone number: If you subscribe to the Max plan and opt in to receive SMS notifications, we collect your mobile phone number for the sole purpose of delivering flight deal alerts via SMS.
• Custom route information: If you are a Max plan subscriber, you may configure custom routes (specific origin-destination pairs) that you wish to monitor. This information is stored as part of your preferences.
• Support correspondence: If you contact us via email or through any in-app support functionality, we collect the content of your communications, including any attachments, along with your name and email address, to respond to and resolve your enquiry.
• Survey and feedback data: If you voluntarily participate in surveys, feedback forms, or user research, we collect the responses you provide.

1.2 Information Collected Automatically

When you access or use our Service, we automatically collect certain technical and usage information through cookies, server logs, and similar technologies:

• Usage data: Pages and screens you visit, features you use, deals you view or interact with, search queries you perform, alerts you open or click through, the date and time of your visits, the duration of your sessions, and your interaction patterns within the Service.
• Device information: The type of device you use (desktop, tablet, mobile), your operating system and version, browser type and version, screen resolution, device language settings, and unique device identifiers where applicable.
• Log data: Your Internet Protocol (IP) address, access times and dates, referring and exit URLs, the pages of our Service that you visit, and the links you click.
• Location data: We may infer your approximate geographic location from your IP address. We do not collect precise GPS-based location data.
• Cookies and similar technologies: We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your browsing activity. For full details, please see our Cookie Policy.
• Push notification tokens: If you enable push notifications, we receive a device token from your browser or device that allows us to deliver push notifications to you via Firebase Cloud Messaging. This token does not reveal your personal identity on its own.

1.3 Information from Third Parties

We may receive limited information about you from third-party sources, including:

• Payment processor: Stripe may provide us with information about the status of your payments, including whether a transaction succeeded, failed, or was disputed.
• Analytics providers: Our analytics tools may provide us with aggregated or anonymised information about how groups of users interact with our Service.

2. How We Use Your Information

We use the personal data we collect for the following specific purposes:

2.1 Providing and Operating the Service

• To create and manage your account and authenticate your identity when you log in.
• To monitor flight prices from Romanian airports and generate personalised flight deal alerts based on your travel preferences, departure airports, and budget settings.
• To deliver deal alerts and other service communications to you via your chosen notification channels (email, push notifications, and SMS for Max subscribers).
• To process and manage your subscription, including billing, payment processing, plan upgrades, downgrades, and cancellations.
• To provide customer support and respond to your enquiries, requests, and complaints.

2.2 Improving and Developing the Service

• To analyse usage patterns, trends, and user behaviour to understand how our Service is used and identify areas for improvement.
• To improve our flight deal detection algorithms, pricing models, and the relevance and accuracy of the deals we surface.
• To conduct internal research and development to build new features, products, and services.
• To test and troubleshoot new features before they are released to all users.
• To generate aggregated, anonymised, or de-identified data and statistics that do not identify you personally.

2.3 Communicating with You

• To send you essential service-related communications, such as account verification emails, subscription confirmations, billing receipts, and security alerts. These communications are necessary for the operation of your account and are not promotional in nature.
• To send you promotional communications, newsletters, and special offers, but only where you have given your prior consent or where we have a legitimate interest to do so. You can opt out of promotional communications at any time.
• To notify you of important changes to our Service, Terms of Service, or this Privacy Policy.

2.4 Safety, Security, and Legal Compliance

• To detect, prevent, and address fraud, abuse, security incidents, and other harmful or unauthorised activity.
• To enforce our Terms of Service and other agreements.
• To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• To protect the rights, property, and safety of gone., our users, and the public.

3. Legal Basis for Processing (GDPR)

Under the GDPR, we are required to have a valid legal basis for each processing activity involving your personal data. We rely on the following legal bases:

• Performance of a contract (Article 6(1)(b) GDPR): Processing that is necessary to provide you with the Service you have signed up for, including creating and managing your account, delivering flight deal alerts, and processing payments for paid subscriptions.
• Consent (Article 6(1)(a) GDPR): Where you have given clear, affirmative consent to specific processing activities, such as receiving promotional communications, enabling push notifications, or opting in to SMS alerts. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Legitimate interests (Article 6(1)(f) GDPR): Processing that is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes improving the Service, analysing usage patterns, preventing fraud, and ensuring the security of our systems. We conduct a balancing test for each legitimate interest activity and document our assessment.
• Legal obligation (Article 6(1)(c) GDPR): Processing that is necessary to comply with legal obligations to which we are subject, such as tax reporting, regulatory compliance, and responding to lawful requests from public authorities.

4. Data Sharing and Disclosure

We do not sell, rent, lease, or trade your personal data to third parties for their marketing purposes. We share your information only in the following limited circumstances and only to the extent necessary:

4.1 Service Providers (Sub-processors)

We engage carefully selected third-party service providers to help us operate, maintain, and improve the Service. These providers process personal data on our behalf and are contractually bound by data processing agreements that require them to protect your data in accordance with the GDPR and this Privacy Policy. Our current service providers include:

• Amazon Web Services (AWS): Cloud infrastructure and hosting services. Our primary servers and databases are located in the European Union (EU-West region). AWS processes data in accordance with the AWS GDPR Data Processing Addendum.
• Stripe, Inc.: Secure payment processing for subscription billing. Stripe is PCI DSS Level 1 certified and processes payment data in accordance with its own privacy policy and data processing agreement. Stripe may process data in the EU and the United States.
• Postmark (ActiveCampaign, LLC): Transactional and notification email delivery. Postmark delivers our flight deal alerts and service-related emails. Postmark processes data in the United States subject to EU-approved data transfer mechanisms.
• Firebase Cloud Messaging (Google LLC): Push notification delivery service. Firebase processes push notification tokens and message data to deliver push notifications to your device. Google may process data in the EU and the United States subject to the EU-US Data Privacy Framework.

4.2 Legal and Regulatory Disclosure

We may disclose your personal data if we believe in good faith that such disclosure is necessary to:

• Comply with applicable laws, regulations, or legal processes (such as a court order, subpoena, or government request).
• Protect and defend the rights, property, or safety of gone., our users, or third parties.
• Detect, prevent, or address fraud, security issues, or technical problems.
• Enforce our Terms of Service or other agreements.

4.3 Business Transfers

In the event that gone. SRL is involved in a merger, acquisition, reorganisation, bankruptcy, dissolution, sale of all or a portion of its assets, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data, before such transfer takes effect.

4.4 Aggregated and Anonymised Data

We may share aggregated or anonymised data that does not directly identify you with third parties for purposes such as industry analysis, market research, or service improvement. This data cannot be used to re-identify you.

5. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, as described in this Privacy Policy, or as required or permitted by law. Our specific retention periods are as follows:

• Active account data: For as long as your account remains active and you continue to use the Service.
• Account deletion: If you request deletion of your account, we will delete or anonymise your personal data within 30 calendar days, except where we are legally required to retain certain information (for example, billing records for tax compliance purposes, which may be retained for up to 10 years as required by Romanian fiscal legislation).
• Inactive accounts: If your account has been inactive for a period of 24 consecutive months (no logins, no interactions with alerts), we may send you a reminder notification. If the account remains inactive for a further 6 months after notification, we may delete or anonymise your personal data.
• Payment records: Billing transaction records and invoices are retained for up to 10 years from the date of the transaction, as required by Romanian tax and accounting laws.
• Support correspondence: Customer support communications are retained for up to 3 years after the resolution of the enquiry to assist with follow-up enquiries and to improve our support processes.
• Log data: Server logs and access logs are retained for up to 12 months for security and troubleshooting purposes, after which they are automatically deleted.
• Analytics data: Aggregated and anonymised analytics data may be retained indefinitely, as it does not constitute personal data.

6. Your Rights Under the GDPR

As a data subject under the GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and limitations as provided by law.

6.1 Right of Access (Article 15 GDPR)

You have the right to request confirmation as to whether we are processing your personal data and, if so, to obtain a copy of that data along with information about how it is being processed, including the purposes, categories of data, recipients, retention periods, and your rights.

6.2 Right to Rectification (Article 16 GDPR)

You have the right to request that we correct any inaccurate personal data we hold about you and to have incomplete data completed. You can also update most of your account information directly through the Service settings.

6.3 Right to Erasure (Article 17 GDPR)

You have the right to request that we delete your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, when you withdraw your consent (where processing is based on consent), when you object to processing and there are no overriding legitimate grounds, or when data has been unlawfully processed. This right is also known as the "right to be forgotten."

6.4 Right to Data Portability (Article 20 GDPR)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit that data to another controller without hindrance, where the processing is based on consent or a contract and is carried out by automated means.

6.5 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, when processing is unlawful and you prefer restriction over erasure, when we no longer need the data but you require it for the establishment, exercise, or defence of legal claims, or when you have objected to processing pending verification of whether our legitimate grounds override yours.

6.6 Right to Object (Article 21 GDPR)

You have the right to object to the processing of your personal data where processing is based on our legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing your data for that purpose without exception. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

6.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal. You can withdraw consent by adjusting your notification settings, unsubscribing from emails, or contacting us directly.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Romania, the competent authority is the National Supervisory Authority for Personal Data Processing (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal, or ANSPDCP). You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

6.9 How to Exercise Your Rights

To exercise any of the above rights, please contact us at hello@gone.ro. We may need to verify your identity before processing your request. We will respond to your request within 30 days of receipt. If the request is particularly complex or numerous, we may extend the response period by an additional 60 days, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period. Exercising your rights is free of charge, except in cases of manifestly unfounded or excessive requests, where we may charge a reasonable administrative fee.

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). However, some of our service providers (as described in Section 4.1) may process data in countries outside the EEA, including the United States.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place to protect your data, including:

• Adequacy decisions: Transfers to countries that the European Commission has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses as a legal mechanism for transfers to countries without an adequacy decision.
• EU-US Data Privacy Framework: Where applicable, our US-based service providers participate in the EU-US Data Privacy Framework, which has been recognised by the European Commission as providing an adequate level of protection.
• Supplementary measures: Where necessary, we implement additional technical and organisational measures (such as encryption and pseudonymisation) to ensure the transferred data receives a level of protection that is essentially equivalent to that guaranteed within the EEA.

You may request information about the specific safeguards applied to transfers of your personal data by contacting us at hello@gone.ro.

8. Data Security

We take the security of your personal data very seriously and implement comprehensive technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.3, the most current and secure version of the protocol.
• Encryption at rest: All personal data stored on our servers is encrypted at rest using AES-256 encryption, an industry-standard symmetric encryption algorithm.
• Password security: User passwords are cryptographically hashed using bcrypt with a high cost factor. We never store passwords in plain text, and our employees cannot view your password.
• Access controls: We implement strict role-based access controls following the principle of least privilege. Access to personal data is limited to authorised personnel who need it to perform their job functions and who are bound by contractual confidentiality obligations.
• Infrastructure security: Our infrastructure is hosted on AWS within the European Union and benefits from AWS's comprehensive physical and environmental security controls, including ISO 27001 and SOC 2 certifications.
• Regular security assessments: We conduct regular security audits, vulnerability assessments, and penetration testing to identify and address potential security weaknesses.
• Incident monitoring: We operate continuous monitoring and intrusion detection systems to promptly identify and respond to potential security incidents.
• Automated backups: We perform regular automated backups of all data to ensure availability and enable disaster recovery. Backups are encrypted and stored securely within the EU.
• Secure development practices: We follow secure software development practices, including code reviews, dependency scanning, and security testing as part of our development lifecycle.

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data, but we are committed to promptly addressing any security incidents in accordance with our Data Breach Notification procedures and applicable law.

9. Children's Privacy

Our Service is not directed to, nor designed to attract, individuals under the age of 16. We do not knowingly collect, solicit, or store personal data from anyone under 16 years of age. If you are under 16, please do not attempt to register for the Service or send any personal data to us.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that information from our records. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at hello@gone.ro so that we can take appropriate action.

10. Automated Decision-Making

Our Service uses automated processes to select and deliver flight deal alerts based on your configured preferences (such as departure airports, destinations, and budget ranges). This automated matching is a core function of the Service and is necessary for the performance of our contract with you.

We do not use your personal data for automated decision-making that produces legal effects or similarly significantly affects you, as defined under Article 22 of the GDPR. The flight deals presented to you are informational in nature, and you are always free to act on them or disregard them as you see fit.

11. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or applications, including airline websites where you may choose to book flights. These third-party services have their own privacy policies and practices, and we are not responsible for how they collect, use, or protect your personal data. We encourage you to review the privacy policies of any third-party services you access through our Service.

When you click on a flight deal link and are redirected to an airline or booking platform, the information you provide on that platform is subject to that third party's privacy policy, not ours. gone. does not sell, book, or issue flight tickets, and we do not receive any of the personal data you provide to airlines or booking platforms.

12. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to the websites and online services that you visit. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, we do not respond to DNT signals. However, we do not engage in cross-site tracking of our users, and we do not use advertising cookies or trackers.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, Service features, legal requirements, or for other operational, legal, or regulatory reasons. When we make changes, we will:

• Update the "Last updated" date at the top of this page.
• For material changes that significantly affect how we handle your personal data, we will provide you with prominent notice, such as by sending an email to the address associated with your account or by displaying a prominent notice within the Service, at least 30 days before the changes take effect.
• Where required by law, we will obtain your consent to material changes before they take effect.

We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your data. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your rights under applicable data protection law, please do not hesitate to contact us:

• Email: hello@gone.ro
• Company: gone. SRL
• Address: Bucharest, Romania

We aim to respond to all legitimate enquiries within 30 days. If you feel that your enquiry has not been adequately addressed, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or with the supervisory authority in the EU Member State of your habitual residence or place of work.

• ANSPDCP website: www.dataprotection.ro