Toplu - Fluchbuchungs-App

Privacy Policy

Toplu ApS | Reg. no. 46403274 | Greater Copenhagen, Denmark

Last updated: May 2026

This Privacy Policy is the authoritative English-language version. Translations into other languages are provided for convenience only. In the event of any inconsistency between the English version and any translation, the English version shall prevail.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Toplu ApS Registration number: 46403274 Greater Copenhagen, Denmark

Email: ...

We are registered in Denmark and subject to the General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven).

If you have questions or concerns about how we handle your personal data, please contact us at the email address above.

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, date of birth, gender, and phone number. This information is required because airlines need it for all passengers at the time of booking.

You may also optionally add loyalty programme numbers for supported airlines.

2.2 Saved Traveler Data

You may save additional travelers (e.g., family members) for use in future bookings. For each saved traveler, we store their name, date of birth, gender, and loyalty programme numbers (if provided).

2.3 Booking Data

When you make a booking, we store the booking reference, flight details, passenger information, price breakdown, seat selections, baggage purchases, e-ticket numbers, and booking status.

2.4 Payment Data

We use Stripe as our payment processor. Card details are entered directly into Stripe's secure payment form and are never transmitted to or stored on Toplu's servers. Stripe is PCI-DSS compliant.

We store payment transaction references to manage refunds and dispute resolution. Billing name, email, and address are collected by Stripe for fraud prevention.

If you use Apple Pay, the payment token is processed by Stripe. We do not receive or store your card details.

2.5 Device and Technical Data

We collect technical data necessary for the Service to function, including:

  • A device identifier for delivering push notifications
  • App preferences (currency, language, appearance)
  • Anonymous usage data and crash reports via analytics

This data is stored on your device or in our cloud database as appropriate.

2.6 Location Data

If you grant location permission, we collect your device location once to suggest nearby departure airports during onboarding. We do not continuously track your location. The location data is processed on-device and is not stored on our servers.

3. How We Use Your Data

We process your personal data for the following purposes, each with a corresponding legal basis under GDPR Article 6:

3.1 Booking Fulfilment — Performance of a contract (Art. 6(1)(b))

  • Creating and managing flight bookings
  • Transmitting passenger details to the airline via our booking platform
  • Processing payments
  • Issuing booking confirmations via email
  • Processing refunds and cancellations
  • Managing seat selections and baggage purchases
  • Transmitting loyalty programme numbers to airlines

3.2 Account Management — Performance of a contract (Art. 6(1)(b))

  • Creating and maintaining your user account
  • Authenticating your identity via Apple Sign-In, Google Sign-In, or email sign-in
  • Storing your profile information and saved travelers
  • Processing account deletion requests

3.3 Service Communication — Performance of a contract (Art. 6(1)(b))

  • Sending welcome emails upon account creation
  • Sending booking confirmation emails
  • Sending change and cancellation confirmations
  • Notifying you of airline-initiated schedule changes
  • Sending check-in reminders
  • Sending account deletion confirmations

3.4 App Functionality — Legitimate interest (Art. 6(1)(f))

  • Suggesting nearby departure airports based on your location
  • Displaying prices in your preferred currency
  • Personalizing app language and appearance settings

Our legitimate interest is to provide a functional and user-friendly flight booking service. These processing activities have minimal impact on your privacy and are within your reasonable expectations when using a travel app.

3.5 Service Improvement — Legitimate interest (Art. 6(1)(f))

  • Analyzing anonymous usage patterns
  • Monitoring app performance and fixing technical issues

Our legitimate interest is to maintain and improve the quality of our service. Analytics data is collected in aggregate and is not linked to individual users.

3.6 Fraud Prevention and Security — Legitimate interest (Art. 6(1)(f))

  • Verifying payment authenticity via billing address verification
  • Preventing unauthorized API access via device attestation
  • Preventing duplicate or fraudulent bookings

3.7 Legal Obligations — Legal obligation (Art. 6(1)(c))

  • Retaining booking and financial records as required by Danish and EU accounting and tax law
  • Responding to legal requests from authorities

4. Who We Share Data With

We share your personal data with the following recipients, only to the extent necessary:

4.1 Airlines (via Duffel)

When you make a booking, passenger data (name, date of birth, gender, contact information, loyalty programme numbers) is transmitted to the airline through our booking platform. This data is required by the airline to issue tickets. Once transmitted, the airline processes this data under their own privacy policy.

4.2 Duffel (Booking Platform)

Duffel Technology Limited acts as our booking platform and data processor. Duffel receives passenger data and booking details to process bookings, manage orders, and facilitate changes or cancellations.

4.3 Stripe (Payment Processor)

Stripe processes your payment data as an independent data controller. Stripe receives card details (entered directly into their secure form), billing information, and payment amounts. Toplu does not have access to your full card details.

4.4 Google / Firebase (Cloud Infrastructure)

Google, through its Firebase platform, provides our cloud infrastructure including authentication, database hosting, server-side processing, push notification delivery, analytics, and security services. Firebase services are configured within the EU where available.

4.5 Resend (Email)

We use Resend to send transactional emails (booking confirmations, flight change notifications, verification codes). Resend receives the recipient email address and email content. Resend acts as a data processor and processes data in accordance with GDPR.

4.6 Apple

If you use Apple Sign-In, Apple processes your authentication. If you use Apple Pay, Apple processes your payment authorization. Apple acts as an independent data controller for these services.

4.7 Billy (Accounting)

Billy ApS acts as our accounting system and data processor. When a booking is created, changed, or cancelled, we share the following data with Billy for bookkeeping purposes: booking reference, route, booking date, payment amount, payment currency, and fee breakdown. No passenger names, contact details, or payment card information is shared with Billy.

4.8 What We Do NOT Do

  • We do not sell your personal data to any third party.
  • We do not use advertising trackers or third-party tracking pixels.
  • We do not share your data with data brokers.

5. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA).

Some data processing involves services operated by companies based in the United States (Google, Stripe, Apple). These transfers are carried out in accordance with GDPR Chapter V, under the EU-US Data Privacy Framework and/or Standard Contractual Clauses.

When you book a flight, your passenger data is transmitted to the airline. Airlines may be located outside the EEA. This transfer is necessary for the performance of the booking contract (GDPR Article 49(1)(b)).

6. Data Retention

We retain your personal data only for as long as necessary:

Data categoryRetention period
User account dataUntil you request account deletion
Saved travelersUntil you delete them or request account deletion
Booking records5 years after the travel date (Danish accounting law)
Payment references5 years after the transaction (Danish accounting law)
Analytics data14 months (default retention period)
On-device dataUntil you uninstall the app

6.1 Booking Records After Account Deletion

If you delete your account, your booking records are not deleted. We are legally required to retain financial records under Danish accounting law, and booking records may be needed for ongoing refund claims or disputes. Retained booking records are kept for a maximum of 5 years after the travel date.

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of Access (Article 15) — Request a copy of the personal data we hold about you. You can access most of your data directly in the app.
  • Right to Rectification (Article 16) — Request correction of inaccurate data. You can update your profile directly in the app. For corrections to booking data already submitted to an airline, contact ....
  • Right to Erasure (Article 17) — Request deletion of your personal data. You can delete your account in the app under Profile settings. Booking records may be retained as described in Section 6.1.
  • Right to Restriction of Processing (Article 18) — Request restriction of processing in certain circumstances.
  • Right to Data Portability (Article 20) — Receive your personal data in a structured, machine-readable format.
  • Right to Object (Article 21) — Object to processing based on legitimate interest (Sections 3.4, 3.5, and 3.6). To exercise any of these rights, contact us at .... We will respond within 30 days.

8. Account Deletion

You can delete your account at any time from the Profile section of the app. When you delete your account:

  • Your account and personal profile data will be permanently removed.
  • All saved traveler data will be deleted.
  • Booking records will be retained for legal compliance as described in Section 6.1.
  • Local data on your device remains until you uninstall the app.

Account deletion is permanent and cannot be reversed.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. You must be at least 18 years old to create an account or to make a booking, including as a guest without an account.

Children may be included as passengers in a booking made by an adult. In such cases, we collect the child's name, date of birth, and gender solely for the purpose of fulfilling the flight booking. We do not knowingly collect personal data from children for account creation.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including transport encryption (HTTPS/TLS), device attestation, secure authentication, and PCI-DSS compliant payment processing via Stripe. No card data touches Toplu's systems.

While we take reasonable steps to protect your data, no system is completely secure. If you become aware of a security vulnerability, please contact us at ....

11. Cookies and Tracking

The Toplu mobile app does not use cookies. We use anonymous analytics to monitor app performance and usage patterns. This data is collected in aggregate and is not linked to your identity.

We do not use advertising cookies, third-party tracking pixels, social media trackers, or fingerprinting technologies.

If Toplu launches a website in the future, a separate Cookie Policy will be published.

12. Push Notifications

We send push notifications to keep you informed about your bookings. You have full control over which notifications you receive:

TypeDefaultDescription
Airline-initiated changesOnAlerts when an airline changes your flight
Flight remindersOnCheck-in reminders before departure
You can manage notification preferences in the app under Profile > Notification Settings, or disable all push notifications through your device settings.

Disabling push notifications may mean you miss important updates about flight changes or check-in reminders.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email at least 30 days before they take effect. Minor clarifications may be made without prior notice.

The "Last updated" date at the top of this document indicates the most recent revision.

14. Contact and Complaints

14.1 Contact Us

For questions about this Privacy Policy, your personal data, or general support: ...

14.2 Supervisory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority.

For users in Denmark:

Datatilsynet (Danish Data Protection Agency) Carl Jacobsens Vej 35 2500 Valby, Denmark Email: dt@datatilsynet.dk Website: datatilsynet.dk

If you are located in another EU/EEA country, you may also lodge a complaint with your local data protection authority.

Toplu ApS Reg. no. 46403274 Greater Copenhagen, Denmark ...