Privacy Policy
Last updated: June 28, 2026
1. Introduction
FlyNinja S.L. ("we", "our", or "us"), a company registered in Spain with CIF B26656561 (VAT: ESB26656561), operates fly.ninja, a gift-first marketplace for adventure and activity experiences. You can also complete direct bookings with a fixed activity date and time without the gifting layer. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website, buy gifts, book experiences directly, redeem vouchers, or apply to become a partner operator.
Data Controller:
FlyNinja S.L.
C/ Emiliana de Zubeldía 5
28320 Pinto, Madrid, Spain
Email: hi@fly.ninja
2. Data We Collect
The data we collect depends on how you use fly.ninja. We only collect gift-specific fields when you choose a gift purchase type. Direct bookings do not require recipient or gift delivery information.
2.1 Website visitors
- Technical data: IP address, browser type, device information, pages viewed, and referral source
- Cookie and analytics data: as described in Section 8
- Approximate location: country or city level, derived from IP or browser settings where available
2.2 Direct bookers
Collected when you book for yourself or your group without a gift layer:
- Identity and contact: name, email address, and phone number where required for booking or payment
- Order and activity details: experience selected, activity date and time slot (if offered), participant counts, product options, and booking question answers
- Billing metadata: billing country or postal code where required for payment (we do not store full card numbers)
- Payment and booking references: transaction references, payment status, voucher or booking references, and confirmation status from our payment partners
2.3 Gift buyers
In addition to the data in Section 2.2 (where applicable), collected when you purchase a gift, including gifts with a fixed activity date at checkout:
- Recipient details: recipient name and email address (and related delivery fields where required)
- Gift presentation: personal message and delivery preferences
- Gift delivery scheduling: scheduled delivery date or time for email or QR delivery where selected
- Activity date at purchase (gifts with fixed date only): the activity date and time slot chosen at checkout, when that purchase type applies
- Voucher status: voucher codes, delivery status, and redemption status
For gift vouchers (redeem later), no activity date is collected at purchase. Scheduling data is collected when the recipient redeems the voucher.
2.4 Gift recipients and participants
- Contact details: name and email address provided by the buyer for gift delivery
- Redemption and scheduling activity: when a voucher is opened, when the recipient schedules the activity, and related booking question answers at redemption
- Participant details: information required to complete the booking when the recipient redeems or when a fixed-date gift is fulfilled
2.5 Partner operators
- Business details: trade name, legal status, tax ID, address, website, activity description, and adventure categories
- Contact details: contact name, email, and phone
- Onboarding documents: liability insurance certificates and related files you upload
- Payout details: banking and identity information collected through Stripe Connect or similar payout providers during onboarding
- Outreach correspondence: replies to acquisition emails and related contact details
2.6 Marketing subscribers
- Email address and, where provided, name or preferences needed to send the communications you opted into
- Consent and unsubscribe records to honour opt-out requests
3. Legal Basis for Processing
Under the GDPR we rely on the following legal bases:
- Contract (Art. 6(1)(b)): To process gift purchases, direct dated bookings, deliver vouchers, complete marketplace or operator bookings, manage redemption, and onboard partner operators
- Consent (Art. 6(1)(a)): For optional marketing emails, non-essential cookies where required, and any processing where we ask for your explicit consent
- Legitimate interest (Art. 6(1)(f)): For fraud prevention, platform security, service improvement, catalog quality, and limited business analytics, balanced against your rights
- Legal obligation (Art. 6(1)(c)): For tax, accounting, and regulatory records we are required to keep
4. How We Use Your Data
We use personal data to:
- Operate the fly.ninja website and experience catalog
- Process gift purchases, direct bookings, and experience reservations
- Send transactional emails appropriate to the purchase type, including order confirmations, gift delivery, redemption reminders, and pre-activity reminders for dated bookings
- Deliver gift vouchers by email or QR code where selected
- Coordinate bookings with experience operators and marketplace partners
- Review partner sign-up applications and manage operator onboarding
- Process partner payouts through our payment providers
- Provide customer and partner support
- Send marketing communications where you have opted in
- Monitor performance, debug issues, and protect against abuse
- Comply with legal and accounting obligations
We do NOT:
- Sell your personal data
- Share your data with unrelated advertisers for their own marketing
- Use your data for purposes incompatible with those described above without telling you
5. Data Sharing and Processors
We share personal data only as needed to run fly.ninja, including with:
- Experience marketplaces: Viator (TripAdvisor) and similar suppliers to fulfil catalog bookings
- Payment providers: Viator checkout, Stripe, and Stripe Connect for buyer payments and partner payouts
- Email delivery: SendGrid (Twilio Inc.) for transactional and marketing email
- Hosting and infrastructure: Vercel Inc., Cloudflare Inc., and Supabase for application hosting, CDN, security, and database storage
- Analytics: Google Analytics for aggregated website usage statistics
- Activity operators: the partner or supplier needed to deliver the booked experience
These providers act as processors or independent controllers depending on the service. Where they process data on our behalf, they are bound by data processing terms and security obligations appropriate to their role. Some providers are based outside the European Economic Area. Where required, transfers are protected by EU Standard Contractual Clauses or equivalent safeguards.
6. Data Retention
We keep personal data only as long as necessary for the purposes above, including:
- Direct bookings and gifts with a fixed activity date: for the life of the booking, plus the period required for accounting, tax, disputes, and fraud prevention
- Gift vouchers (redeem later): through the redemption window shown at purchase (including any reminder period before expiry), plus the period required for accounting, tax, disputes, and fraud prevention after redemption or expiry
- Partner applications and operator records: while the partnership is active and for a reasonable period afterwards for legal and audit purposes
- Marketing subscribers: until you unsubscribe or ask us to delete your data
- Unsubscribed marketing contacts: a minimal record (such as an email hash and unsubscribe date) for up to 3 years to honour opt-out requests
- Server and security logs: typically for a limited rolling period unless needed for an investigation
7. Your Rights
Under the GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your data where applicable
- Restrict processing: Limit how we use your data in certain cases
- Data portability: Receive your data in a portable format where applicable
- Object: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time for processing that relies on consent
To exercise these rights, contact us at hi@fly.ninja. We will respond within 30 days. You may also unsubscribe from marketing emails using the unsubscribe link in any marketing message.
8. Cookies and Analytics
Our website uses cookies and similar technologies for:
- Essential cookies: Required for basic functionality, security, and checkout flows
- Analytics cookies (Google Analytics 4): We use Google Analytics to understand how visitors use fly.ninja, including pages visited, time on site, and general location at country or city level. We use this to improve the service. We do not use Google Analytics for cross-site advertising profiles.
You can disable cookies in your browser settings, though some features may not work correctly. You can also opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.
9. Security
We implement appropriate technical and organizational measures to protect personal data, including:
- HTTPS encryption for data in transit
- Access controls on production systems and databases
- Payment card data handled by PCI-compliant payment partners rather than stored on our servers
- Regular review of infrastructure and application security practices
10. Children's Privacy
fly.ninja is not directed at children under 16. We do not knowingly collect personal data from children. Experiences may have minimum age requirements set by operators; buyers are responsible for ensuring participants meet those requirements. If you believe we have collected data from a child, contact us and we will delete it where required.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. For significant changes, we may also notify you by email or through a notice on the website where appropriate.
12. Contact Us
For questions about this Privacy Policy or to exercise your data rights, contact us:
FlyNinja S.L.
C/ Emiliana de Zubeldía 5
28320 Pinto, Madrid, Spain
Email: hi@fly.ninja
You also have the right to lodge a complaint with a supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD): www.aepd.es