Privacy policy

IoCarta ("we", "us", "our") operates the flight-deal discovery service at iocarta.com. We are the data controller responsible for the personal data described in this policy under Regulation (EU) 2016/679 (the "GDPR").

For any privacy-related question or to exercise the rights described below, contact us at privacy@iocarta.com.

The personal data we hold is limited to what you actively provide:

• Email address — when you subscribe to deal alerts.
• Preferred home airport (IATA code, e.g. BRU) — to target alerts.
• Subscription preferences — maximum budget, trip type, minimum confidence score, if you choose to set them.

We do not collect, store, or process: payment information, full names, addresses, phone numbers, passport or ID data, behavioural profiles, or any sensitive category data within the meaning of Article 9 GDPR. We do not run advertising or remarketing trackers.

We process your email address and preferences for the sole purpose of sending you the deal alerts you have subscribed to. The legal basis is your consent (Article 6(1)(a) GDPR), given when you submit the subscription form and confirm through the double opt-in email. You may withdraw consent at any time via the unsubscribe link in any alert email, or by emailing us.

Alert emails are dispatched through SendGrid (Twilio Inc., a US-based processor). Your email address is passed to SendGrid strictly to deliver the message you requested. The transfer relies on the EU–US Data Privacy Framework and Standard Contractual Clauses. SendGrid's privacy statement is available at twilio.com/legal/privacy.

We use a small number of first-party cookies to keep the site usable and, with your consent, a single third-party analytics service. The detailed list is in our Cookie Policy.

Google Analytics 4 (via Google Tag Manager) is loaded only after you click Accept all or Save choices with analytics enabled in the cookie banner. We use it solely to count visits and understand which deals are useful. IP addresses are anonymised; we have not enabled any Google Signals advertising features.

We use Google Consent Mode v2, which means that for visitors who decline analytics, no analytics cookies are set and only anonymous, aggregated ping signals are sent to Google. We do not run advertising or remarketing tags. You can change your choices at any time via Manage cookies in the footer.

Google Analytics is operated by Google Ireland Ltd. and may transfer aggregated data to Google LLC (United States) under the EU–US Data Privacy Framework.

Subscribers receive three types of email, all sent through SendGrid (see section 4):

• A one-off welcome / confirmation email after you subscribe, used to verify the address (double opt-in).
• Error-fare alerts when a flight matching your preferences (home airport, budget, trip type) crosses our discovery threshold. We rate-limit alerts to a maximum of 3 per day per subscriber and de-duplicate so you never receive the same deal twice.
• An optional weekly digest with the top deals of the past 7 days, sent once per week.

Every email contains a one-click unsubscribe link. Unsubscribing removes you from all three types immediately.

When you click a deal link, you leave IoCarta and arrive on a partner site (Aviasales, Travelpayouts, or the operating airline). From that point, the partner's own privacy policy governs the processing of your data. We do not see your booking details, your payment information, or your travel itinerary.

The affiliate network used to credit our commission sets a short-lived attribution cookie under the partner's domain. We receive only aggregated, anonymous commission reports — never your personal data.

We retain your email address and preferences for as long as your subscription is active. If you unsubscribe, we delete the active record within 30 days and retain a minimal suppression record (your email hash) indefinitely to ensure we do not re-email you by mistake.

Aggregate scraping and engagement data (e.g. how many subscribers, how many opens) is anonymised and kept for operational reporting.

We never sell, rent, or trade your personal data. We share email addresses only with:

• SendGrid, as our email-delivery processor (see section 4).
• Competent authorities, where we are legally required to do so in response to a valid legal process.

Our servers are located in the European Union (Amsterdam, NL). The only international transfer we perform is the controlled transfer of email addresses to SendGrid (US), described in section 4.

You have the right to:

• Access the personal data we hold about you;
• Rectify any inaccurate or incomplete data;
• Erase your data ("right to be forgotten");
• Restrict or object to processing;
• Request data portability in a machine-readable format;
• Withdraw consent at any time, without affecting prior processing;
• Lodge a complaint with your national data protection authority — in Belgium, the Gegevensbeschermingsautoriteit (gegevensbeschermingsautoriteit.be).

To exercise any of these rights, email privacy@iocarta.com. We respond within 30 days, free of charge in normal circumstances.

We protect personal data with industry-standard measures: HTTPS everywhere, encrypted databases at rest, restricted administrative access, and routine security updates. No system is perfectly secure; in the unlikely event of a personal-data breach affecting your data, we will notify you and the relevant supervisory authority in accordance with Articles 33 and 34 GDPR.

The Service is not directed at children under 16. We do not knowingly collect data from anyone under that age. If you believe a child has provided us with personal data, please contact us so we can delete it.

Material changes will be highlighted on the homepage and reflected in the "Last updated" date above. For subscribers, significant changes will be communicated by email.