General Privacy Policy – EEA Individuals(Effective Date: 14 May, 2025)

Fareportal Inc. (“Fareportal”), owner and operator of CheapOair.co.uk, is the controller of personal data collected regarding individuals located in the European Economic Area (“EEA Individuals,” “you,” or “your”) through the CheapOair.co.uk website (the “Website”), including both the desktop and mobile web version, and our contact centers. This Privacy Policy describes our general privacy and security practices in connection with your personal data. Throughout your Website experience or when speaking with a contact center agent, you will also receive ‘just-in-time’ notifications (e.g., legal basis for processing, categories of recipients, retention, etc.) at the time personal data is obtained for a particular processing activity, along with a link to this Privacy Policy.

Except as otherwise defined in this Privacy Policy, all terms shall have the same meaning set forth in the European Union General Data Protection Regulation (EU) 2016/679 (the “GDPR”).

Fareportal’s representative in the European Union is Duke’s Court Travel, located at Mill House, 216-218 Chiswick High Rd., Chiswick, London W4 1PD, UK.

Fareportal stores EEA Individuals’ personal data within its U.S. data centers.

Fareportal has a valid certification to the E.U.-U.S. and Swiss-U.S. Privacy Shield that it relies upon, pursuant to Article 46(1) of the GDPR, to import EEA Individuals’ personal data to these data centers for its various processing activities. When transferring such data to Fareportal’s agents (such as Fareportal’s contact centers or service providers) or other controllers (such as airlines, hotel chains, or other suppliers) in countries that have not received an ‘adequacy decision’ by the European Commission, Fareportal ensures that such agents and controllers also commit to upholding the Principles of the Privacy Shield. Fareportal may also rely on appropriate Standard Contractual Clauses with such entities to ensure adequate protection for your personal data.

Please note, however, that transfers of personal data to non-EEA based travel suppliers specifically for the purpose of fulfilling your various bookings or purchases (such as flight, hotel, or car accommodations) will be based on the following derogations in GDPR Article 49, as applicable: (i) for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request (Article 49)(1)(b)); and/or (ii) for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (Article 49)(1)(c)).

More information regarding our sales and associated email marketing activities upon becoming a customer can be found in our ‘Sales Privacy Notice’ here. We provide additional information regarding our other marketing activities through appropriate ‘just-in-time’ notifications.

We will retain your Personal Information for the periods outlined in our retention policy, unless a longer retention period is required by law (including the establishment, defense, or exercise of potential legal claims). Our data retention policy, including retention of sales data, can be found here.

Fareportal has a legitimate interest in ensuring cyber security and detecting possible criminal acts or threats to public security (including to prevent unauthorized access to networks and stopping damage to computers and systems), and employs a variety of technical and organizational measures to do so, which requires processing certain data to fulfill such purposes.

We follow all PCI-DSS requirements and implement additional generally accepted industry standards (e.g., ISO 27001). For example, your credit card information is encrypted using secure socket layer technology (SSL).

Our web servers will also log your requesting IP address, the page requested, request time, referrer information, what URL you came from, browser information, and the status of the request (for example, if a page does not exist, a 404 error code will be returned). Such information is used to help maintain the Website, ensure that our services are available, and prevent malicious or otherwise harmful attacks to our back-end systems.

Fareportal may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this Privacy Policy. This Privacy Policy shall be binding upon Fareportal and its legal successors in interest.

Natural persons have a right to: (i) request access to, correction and/or erasure of their personal data; (ii) object to processing of their personal data; (iii) restrict processing of their personal data; and (iv) request a copy of their personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. These rights may be exercised by contacting feedback@CheapOair.com with the subject line, "GDPR Notice," or our address given below.

Natural persons may object to personal data processed pursuant to Fareportal’s legitimate interest. In such case, Fareportal will no longer process their personal data unless Fareportal demonstrates appropriate overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. Natural persons also may object at any time to processing of their personal data for direct marketing purposes. In such case, their personal data shall no longer be used for that purpose. In cases of direct marketing, natural persons often will be able to fulfill such rights directly via an ‘Unsubscribe’ link or similar mechanism (e.g., device settings for push notifications), but may always reach out to feedback@CheapOair.com (such as for opting-out of profiling) with the subject line, "GDPR Notice," or our address given below.

Please note that if you opt-out of receiving direct marketing from us, we may still send you important administrative messages via email, from which you cannot opt out (unless an applicable retention schedule or right to erasure request requires deletion of such email address).

In accordance with GDPR Article 77, natural persons also have the right to lodge a complaint about Fareportal’s processing of their personal data with a competent supervisory authority, in particular in the member state of their habitual residence or place of work, or where an alleged GDPR infringement took place, as applicable.

Further, as applicable, natural persons may exercise their third-party beneficiary rights under Fareportal’s Standard Contractual Clauses.

Contact details for the EU data protection authorities can be found at:
http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

Fareportal’s services are not directed to individuals under the age of eighteen (18), and we request that they not provide personal data to Fareportal through any means.

If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately (either within this Privacy Policy or elsewhere), and the “Effective Date” at the top of this page will be updated accordingly.

If you have any questions regarding our privacy practices, please contact us via email at feedback@CheapOair.com with the subject line, "GDPR Notice," or write to us at:

CheapOair
c/o Fareportal Inc.
135 West 50th Street, Suite 500
New York, NY 10020
Attn: Customer Service/Privacy

Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.

Note: This Data Privacy Framework section applies only to personal data processed pursuant to the EU-US Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (collectively the “DPF”).
Important Notice for Individuals of the European Economic Area and Switzerland Fareportal complies with the DPF requirements, as set forth by the US Department of Commerce. Fareportal has certified to the Department of Commerce that it adheres to the EU-U.S. DPF Principles with respect to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Fareportal has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the policies in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification page, please visit https://www.dataprivacyframework.gov/.

Fareportal is subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”).
EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Complaints In compliance with the DPF Principles, Fareportal commits to resolve complaints about your privacy and our collection or use of your personal data transferred to the United States pursuant to the DPF Principles. European Union, United Kingdom, or Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact Fareportal at privacy@fareportal.com with the subject line, “Data Privacy Framework.”

Fareportal has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, the JAMS Alternative Dispute Resolution (ADR) under theData Privacy Framework., Located in the United States, JAMs is the world’s largest private ADR provider.. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.jamsadr.com/submit/ for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Data Privacy Framework Annex 1 at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
Onward Transfer to Third Parties Like many businesses, we hire other companies to perform certain business-related services. We may disclose personal data to certain types of third-party companies but only to the extent needed to enable them to provide such certain business-related services on our behalf as our “agents” (as such term is utilized under the DPF). The types of companies that may receive personal data and their functions are: hosting services, technical assistance, database management/back-up services, information security and fraud detection services, analytics and marketing providers, and contact centers. All such third parties function as our agents, performing services at our instruction and on our behalf pursuant to contracts which require they provide at least the same level of privacy protection as is required by this Privacy Policy and implemented by Fareportal and notify us if they are no longer able to provide such protections, at which point we will take reasonable remedial steps. We may also disclose personal data to our affiliates in order to support marketing, sale and delivery of any services, or other business operations as disclosed in this Privacy Policy. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Fareportal’s accountability for personal data that it receives under the DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, Fareportal remains responsible and liable under the DPF Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Fareportal proves that it is not responsible for the event giving rise to the damage.
Opt-In and Opt-Out to Certain Onward Transfers Individuals have the opportunity to opt-out of sharing of their personal data with third parties other than our agents or before we use it for a purpose other than which it was originally collected or subsequently authorized. To limit the use and disclosure of your personal data, please submit a written request to privacy@fareportal.com, with the subject line “Data Privacy Framework.”

We will not disclose your sensitive personal data to any third party without first obtaining your opt-in consent. You may provide your consent by sending us an email at privacy@fareportal.com.

In each instance, please allow us a reasonable time to process your response.
Your DPF Rights Upon request to privacy@fareportal.com with the subject line, “Data Privacy Framework,” we will provide you with confirmation as to whether we are processing your personal data pursuant to the DPF, and have such data communicated to you within a reasonable time. You have the right to access, correct, amend, or delete the personal data processed pursuant to the DPF where it is inaccurate or has been processed in violation of our privacy disclosures to you, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.
Retention of Personal Data We will retain the personal data processed pursuant to the DPF in a form that identifies you pursuant to our retention policy above. We may continue processing such personal data for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal data or retain it in a form such that it does not identify you personally.
How We Protect Your Data Fareportal takes very seriously the security and privacy of the personal data that it collects pursuant to the DPF. Accordingly, we will implement reasonable and appropriate security measures to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and to comply with applicable laws and regulations.

For the privacy policies of our other websites, please click here:

//www.cheapoair.com/info/privacy, www.cheapoair.ca/info/privacy/, www.onetravel.com/info/privacy-policy/