Privacy Policy

Controller: Eloy Rubio, Zurich, Switzerland. Contact: privacy@weekendflights.app.

What we process

When you subscribe to Pro we store your email, Stripe customer / subscription IDs, subscription status, current period end, and a HttpOnly session cookie (wf_session) signed with HMAC-SHA256. Magic-link tokens are SHA-256 hashed at rest and valid 15 minutes single-use. We also log the IP that initiated a login request to apply rate limits.

Browsing the calendar without an account stores no personal data: only the route and dates leave the site (to our flight data provider).

Legal bases

Processing for entitlement and login is performed to fulfill our contract with you (GDPR Art. 6(1)(b)). Tax-relevant records (Stripe invoices) are kept to comply with Swiss legal duty (Art. 6(1)(c)).

Subprocessors

Stripe (US, Data Privacy Framework-certified) — payments. Resend (EU) — transactional login email. Cloudflare (US, DPF-certified) — hosting, KV storage, edge compute.

Retention

Session cookie: 30 days. Magic-link token: 15 minutes. User record: kept while subscription is active and for 6 months after cancellation, then deleted. Webhook idempotency markers: 48 hours.

Your rights

You may request access, rectification, erasure, portability, restriction, or object to processing at any time by emailing privacy@weekendflights.app. We respond within 30 days. You may also lodge a complaint with the Swiss FDPIC or your local EU data protection authority.

Cookies

The only cookie set is the strictly-necessary wf_session for authentication, exempt from consent under ePrivacy Art. 5(3). No tracking, analytics, or marketing cookies.

Children

Not for users under 16.