Privacy Policy

1. Purpose and acceptance

In this section, you will find all the information about how Canary Fly S.L. (hereinafter, “Canaryfly”) processes personal data when providing its services, as well as during interactions with users of its website and other means of contact.

To make it easier for you to exercise your right to information and to comply with the principle of transparency required by data protection regulations, this content is divided into sections that will allow you to find the information you need in a clear, direct, and concise manner. If you have any questions or would like additional information, please do not hesitate to contact us via email at attpasajero@canaryfly.es 

At Canaryfly, we understand that your privacy is paramount. Therefore, we have designed this policy following the transparency standards set down in Regulation (EU) 2016/679, the General Data Protection Regulation (hereinafter GDPR), and Organic Law 3/2018 (LOPDgdd: Spain's Data Protection and Digital Rights Act), and guaranteeing that your information is processed with the utmost technical and legal rigor.

1.1 Data controller

The www.canaryfly.es webpage is owned by Canaryfly, and its main activity is the sale and booking of air transport tickets for passengers. Associated with this activity are multiple complementary purposes that affect or may affect the processing of your personal data by the company. 

In accordance with Article 13 of the GDPR, we inform you that, for the aforementioned activities, the data controller responsible for the processing of the personal data collected is CANARY FLY S.L., with NIF (Tax ID) B76013481, with its registered office at Calle Aeropuerto de Gran Canaria, Hangar L, 35230, Las Palmas de Gran Canaria, Spain.

Services provided by third parties

Among its features, the Canaryfly website provides its users with access to third-party websites that provide complementary services that may be linked to hotel reservations and car rentals. In these cases, users will be redirected to third-party pages where they can purchase the desired service. In all cases, these third parties will be responsible for processing the data they collect in accordance with their own terms and conditions and privacy policies, in which Canaryfly does not intervene and for which it will not be responsible.

2. Personal Data Collection

Canaryfly collects data during the process to purchase its products or services, whether in person or online, as well as during the provision of the service or subsequent support activities. The data is mostly provided by customers and passengers, although other data, such as web browsing data (collected through cookies or similar technologies), is the result of the data subject's interaction with Canaryfly's media, and in the case of data associated with flights and their itinerary, it is the result of automated tasks or the normal course of the company's aeronautical activity.

Certain data is essential for providing our services, which is why it is marked as mandatory on forms or during interactions with company staff. Other data, such as preferences, or data necessary for personalized advertising, or flight preferences, will only be collected if the data subject agrees to it and gives their consent.

Data that is mandatory but not filled in, filled in incompletely, or is erroneous according to the official documentation identifying the data subject could prevent the proper provision of the service and exempt Canaryfly from any liability related to that impediment.

2.1 Type of data processed

The information we process is that which you provide to us to manage your air transport contract. 

This includes everything from the formalization of the reservation and the issuance of the ticket to the management of boarding and baggage check-in. For these procedures, which are the most common, the data we collect is usually identifying data (first name, last name, ID/Passport), contact data (telephone, email), and financial data for payment processing.

Apart from this main processing, there may be other purposes or services, and it may be necessary to collect more personal data and even other types of data. We guarantee that in each situation, only the data strictly necessary for the corresponding purpose will be collected.

The data that Canaryfly may process about its customers and/or passengers is:

• Identifying data:  first and last name, national identity document, or other identification documents valid in Spain.
• Contact information: phone number, email address, mailing address, etc.
• Booking and flight data: itinerary, dates, passengers, connections with third parties, services purchased, special assistance requested, emergency contacts, etc.
• Browsing data: data on the use of Canaryfly platforms, preferences, technical configurations, forms, tools and means of access, usage statistics, etc. Goods and services selected by the data subject or in which they have shown interest.
• Personal characteristics: family, date of birth, place of birth, age, nationality, etc.
• Physical data: voice.
• Medical data: allergies or special needs.
• Data on social circumstances:  municipal registration, certifications, permits and authorizations.
• Financial data: subsidies and benefits, credit cards or other payment methods.
• Data on transactions involving goods and services: goods and services received by the data subject, financial transactions, offsets, refunds, and compensation; collection actions and administrative management.

3. Purposes for which Canaryfly processes personal data

As we have already indicated, the processing of personal data is essential for the proper provision of the services offered by Canaryfly. In this section, we inform you of the purposes for which Canaryfly may process your data, depending on the reason for your interaction with the company.

In accordance with Article 13 of the GDPR, in this section, you will also find the legal basis (which allows us to process your data lawfully), as well as the recipients of the data for each purpose, and, in some cases, the period for which the data will be retained.

3.1 Managing reservations and selling air transport tickets.

Legal basis: Article 6.1.b) GDPR: performance of a contract or the implementation of pre-contractual measures.

Description: The data provided during the process of managing reservations and tasks associated with the sale of passenger air transport tickets will be used for the following purposes: to manage the reservation/purchase and to carry out all related administrative tasks (seat allocation, sending automatic information, flight reminders, verifying the boarding process, itinerary management, communication with other operators, etc.); to manage payment and to carry out the administrative management of services (payment, billing, verifying the identity of payment method holders, refunds, compensation, and other related tasks); to manage subsidies and other benefits; to provide the service and to manage its quality; and to provide in-person, online, and telephone customer service (providing information, handling requests for changes, refunds, complaints, claims, incidents, inquiries, and other miscellaneous actions).

Data communication: The disclosure of data to other airlines in the event of connections with flights managed by third parties other than Canaryfly.

Disclosures to competent authorities in compliance with the airline's legal obligations (see next section).

Ticket acquisition and purchase data may be disclosed to third-party payment service providers (including, but not limited to, banks, savings banks, rural banks, and entities that issue or manage cards or payment methods) so that these providers can verify the transactions carried out in connection with ticket purchases.

In the event of incidents involving lost or delayed baggage, flight delays, acceptances of flight changes, or other related actions, your identification and contact information may be disclosed to entities such as courier companies, hotels, and others that are required to provide a compensatory or corrective service in response to the incident.

Retention: The retention periods for data relating to ticket reservations and sales shall be subject to current regulations. The maximum retention period set by the Commercial Code for documentation such as invoices or receipts is 6 years.

3.2 Compliance with the airline's legal obligations

Legal basis: 6.1.c) GDPR: Compliance with legal obligations.

Description: Some passengers’ personal data may be processed for the purpose of complying with Canaryfly’s legal obligations. These obligations include:

1. The obligation to cooperate with law enforcement agencies and competent authorities, when they make a specific, justified request in accordance with the regulations applicable to the processing of passenger data, or for the purposes of criminal investigations, among others.
2. Pursuant to Organic Law 1/2020, in extraordinary cases and with the prior approval of the Council of Ministers, on domestic flights that do not make stopovers in any other State, your personal data contained in the PNR (Passenger Name Record) will be transferred to the Passenger Information Unit. As the data controller, the Passenger Information Unit will process this data, from the time it is received, for the purposes of preventing, detecting, investigating, and prosecuting terrorist offenses and other serious crimes specifically defined in the aforementioned law.
3. Communication of data to the competent authority for the management of residence and large family subsidies, among others.

Data communications: The data that is processed by Canaryfly and requested must be communicated to the authorities that request it based on what is indicated in this section. 

Retention: The retention periods for data related to this section will be those established for each of the purposes for which that data was collected.

3.4 Management of medical cases and in-flight emergencies

Legal basis: 9.2.a) and c) GDPR: consent of the data subject or their legal representative. In the event of an emergency during the flight, the actions taken will be legitimized based on the vital interest of the data subject or of third parties if the data subject is not in a position to give their consent.

Description: The management of medical cases requires the processing of the health data of the affected passengers so that the medical personnel assisting Canaryfly can assess the suitability of the journey, as well as the requirements and adaptations that must or can be made on the plane during the flight by the crew. Emergency situations during the flight will be managed by the crew as well as by the medical personnel on board.

Data communications: In medical emergency situations during the flight, the data regarding the case, the patient, and the people attending to the emergency, whether or not they are part of the crew, will be communicated to the Canary Islands Health Service or a similar body through the intermediation of air traffic control so that they can continue with patient care and case management.

Retention: The retention periods for data relating to medical cases will be those strictly necessary to fulfil the purpose for which they were collected, and the data will be deleted as soon as possible.

3.4 Recording of calls on the customer service hotline

Legal basis: 6.1.f) GDPR: Canaryfly has a legitimate interest in carrying out quality controls of the service, as well as in keeping proof of the content of the call. The user may object to the processing by using other means of contact.

Description: During calls received by customer service, callers are informed that the calls will be recorded for the purposes of service quality and to verify the services provided.

Data disclosures: No data disclosures are planned; however, data may be provided to a competent authority that specifically, reasonably, and in a limited manner requests a copy of the data in accordance with applicable law.

Retention: The retention periods for data relating to calls will be those strictly necessary to fulfil the purpose for which they were collected.

3.4 Creation and management of user accounts

Legal basis: the data subject's consent.

Description: We collect data that the data subject provides during the process of creating their Canaryfly account, as well as data they provide at later stages, or data generated by their relationship with the company, and data relating to their interests and preferences. This includes purchase history, invoices requested, information on flights taken, etc.
Data disclosures: No data disclosures are foreseen, but data may be provided to the competent authority that specifically, carefully, and in a limited manner requests a copy thereof in accordance with the applicable legislation.

Deletion of data: If you request the deletion of the user account, this action does not imply the total or partial deletion of the data. The data will continue to be kept in the Canaryfly database in accordance with the data retention criteria in this document for the different data processing operations.

3.5 The recovery of abandoned shopping carts and associated advertising

Legal basis: The data subject's consent.

Description: Through the use of tags, data provided by the data subject during unfinished purchase processes will be collected in order to send them reminders and offers to complete the purchase they have started.

Data disclosure: We do not plan to disclose data to third parties.

Data retention: The data will be deleted after 6 months.

3.6 Purpose: Sending information and advertising, conducting interest surveys, and carrying out other activities aimed at Canaryfly customers

Legal basis: Legitimate corporate interest.

Description: Some of Canaryfly's customer data may be used to learn about their interests and preferences and, based on their purchases of products or services, to send them marketing information, offers, and promotional deals, as well as invitations to events and activities, and to conduct surveys on their interests, for improvement purposes, and for marketing research. Communications will be sent via the usual channels at any given time: email, post, phone, text messages, instant messaging apps, or even through the Canaryfly app.

Data disclosure: We do not foresee the sharing of data with third parties.

Data retention: Data will be retained unless the user raises an objection to it.

3.7 Purpose: To send newsletters, advertising, different surveys, and other direct marketing activities, both our own and those of third parties

Legal basis: The data subject's consent.

Description: Data subjects may provide their identification, contact, and other data in order to receive direct marketing communications from Canaryfly or third parties.

Data subjects may also consent to the personalization of the offers they receive. In this case, browsing data will be used to personalize the advertising displayed on the website and to set up personalized direct marketing activities.

Communications will be sent via the usual channels at any given time: email, post, phone, text messages, instant messaging apps, or even through the Canaryfly app.

Data disclosure: we do not foresee the sharing of data with third parties. Any advertising activities that may involve third-party information will not entail the disclosure of personal data to those third parties.

Data retention: the data will be retained unless the user withdraws their consent.

3.8 Purpose: To manage participation in events, activities, and other initiatives organized by Canaryfly

Legal basis: the data subject's consent.

Description: Data collected during the process for registration, participation in, and the holding of events, activities, and other participatory initiatives organized by Canaryfly will be governed by the terms and conditions of each of these events, activities, or initiatives.

Data disclosure: The data on winners of drawings and contests, as well as of participants, may be published on social media and on the Canaryfly website. If the event has a co-organizer, or the prize is associated with a third party, the latter will also receive the data. More detailed information will be provided for each activity; please refer to the relevant announcement.

Data retention: the data will be retained as long as the user does not withdraw their consent and until the end of the event.

3.9 Purpose: the management of browsing data and the use of cookies and other similar technologies

Legal basis: the data subject's consent.

Description: While browsing the website, the data subject may provide or withhold their consent for the installation of various types of cookies or tags. In most cases, the purpose of data processing is subsumed in the purposes listed above: personalizing the website, providing customer service, personalizing service offerings, recovering shopping carts, and sending direct advertising.

Data disclosure: Data collected through cookies, tags, and other technologies managed directly by Canaryfly or its service providers is not shared with third parties. However, if the data subject consents to the installation of third-party cookies, they will be allowing those third parties to access their data directly. Therefore, in such cases, we encourage the data subject to review the privacy policies of those third parties before consenting to the cookies.

Data retention: the data will be retained unless the user withdraws their consent.

3.10 Purpose: Handling complaints, claims, reports, and other ways of exercising consumer and user rights

Legal basis: legitimate interest and compliance with legal obligations.

Description: Data related to the situations covered by this purpose will be retained for as long as the proceedings initiated by the data subjects continue.

Data disclosure: communication to the competent authorities in the matter subject to the claim, complaint or report is envisaged, as well as to lawyers, prosecutors and other members of the judiciary involved in the case.

Data retention: the data will be retained unless the user withdraws their consent.

4. Data retention criteria

Canaryfly retains the data it collects in connection with the purposes for which it was collected. A customer may provide data that is used for several purposes; accordingly, such data will not be deleted until the need or obligation linked to all of those purposes has come to an end.

Because legislation is constantly changing and the obligations placed on companies are also evolving, it is not possible to provide a fixed table of data retention periods. However, in accordance with the GDPR, these are the data retention criteria that Canaryfly applies:

Data will be retained:

• As long as it is necessary to achieve the purpose of the processing;
• As long as the contractual relationship continues.
• As long as there is a legal obligation to retain the data;
• Until the responsibilities arising from the contractual relationship, or from the processing, have expired.
• Until there is a request for erasure by the data subject, in the applicable cases.

We will actively review the data in our possession and either securely delete it or keep it duly blocked. They may be anonymized for statistical purposes or for the development of segmentations to better understand our clientele. In this case, it will always be grouped, and it will not be possible to ascertain the identity of the customer from whom the data originates.

If you would like more information on this point or if you would like to specify a specific period relating to a specific processing operation and a specific data subject, please do not hesitate to contact us via email at attpasajero@canaryfly.es.

4. Processing of third-party data

If, in the course of your communications with CANARYFLY, you provide us with the data of third parties, we hereby inform you that:

• You may only provide us with the data of third parties if you have their express consent. Therefore, by providing us with the third parties' data, you declare that you have obtained the aforementioned consent, or that you are acting as their legal representative.
• All individuals whose data you provide to us must be aware of the content of this section. You declare that you have informed them and made them aware of the content of this section.

CANARYFLY is not liable in the event that the user who completes the forms or requests does not comply with the above points, and reserves the right to request documentation proving said representation at any time.

5. The provision of services for data processing

Like most companies, Canaryfly subcontracts services to third parties to support the company's day-to-day operations. Among other things, and by way of example, it is possible to outsource tasks related to financial and accounting advice and management, insurance and reinsurance, call centres and customer service, physical security and video surveillance, logistics, passenger ground handling, cleaning, IT services, and marketing, among others.

In all cases where personal data is processed on behalf of Canaryfly, the principles of privacy by design and by default are applied. Only providers that guarantee a certain level of compliance with data protection regulations are selected, and the corresponding personal data processing agreements are formalized. In addition, clear instructions are provided regarding the obligations and limitations of its service providers. Likewise, the security and confidentiality requirements that they must establish are set forth, and their application is audited and monitored.

5.1 International data transfers

The aviation sector requires highly specialized service providers and technologies that, in many cases, are based outside the European Union, and, therefore their use represents an international data transfer. Among them, Canaryfly carries out the following:

• Google: Transfer formalized through the formalization of standard contractual clauses in accordance with the latest models provided by the EC.

There may be other specific transfers associated with your data. If you would like to know more, you can request additional information at attpasajero@canaryfly.es.

6. Rights of customers, passengers and users in relation to the processing of their data

Canaryfly is extremely committed to the rights and freedoms of the data subjects whose data it processes. For this reason, you are hereby informed that, at all times, and as applicable to each specific case, you have the right to exercise your:

1. The right to access your personal information. To know what information is processed about you, what data, how, when, where, and for what purpose, etc. it was collected, to whom, for what purpose, and how it has been provided; for how long it is expected to be kept, and any other related data that you ask to know and that is applicable.
2. The right to rectify your personal data. In the event that there is an update, or an error, or any situation that you believe requires a formal modification, you can request it through this channel.
3. The right to erasure of your personal data. In cases where there is no legal obligation, where the data is not necessary for the provision of a service, or for the fulfilment of the public interest or the interest of a third party, you may request the deletion of your personal data.
4. The right to object to the processing of your personal data. You may object to the processing of your personal data, particularly in cases where the processing is based on the legitimate interest of the company or a third party. For example, you may object to the processing of your data for direct marketing purposes based on Canaryfly's legitimate interest, or to the automated processing of your personal data. You may object at any time during the processing, without  this affecting the lawfulness of the processing carried out prior to your objection.
5. Right to request the restriction of the processing of your personal data when the applicable requirements are met, and for the uses you deem appropriate in accordance with the law.
6. The right to the portability of your personal data. You may ask Canaryfly to share the information you have provided, or that has been inferred or collected digitally, with a third party.

In any event, you have the right to withdraw any consent you have given, without this affecting the lawfulness of the processing carried out up to that point. In this case, you can opt out of this purpose by using the links at the bottom of promotional emails, clicking "unsubscribe," or sending an email to lopd@canaryfly.es.

Finally, we would like to inform you that any data subject may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es), particularly if they have not received a satisfactory response when attempting to exercise their rights.

6.1 DPO contact information

You can exercise these rights by sending a written message to lopd@canaryfly.es or by mail to Calle Aeropuerto de Gran Canaria, Hangar L. 35230, Las Palmas, Spain. 

To ensure that your request can be processed properly, we need you to provide us with the following information:

• Full name.
• ID number (DNI, NIE, or passport).
• At least one contact method (email address, phone number, or postal address).
• Purpose of the request.

The exercise of these rights is strictly personal, so only the data subject themselves can exercise them with respect to the personal data of which they are the legitimate owner. However, in cases where it is permitted, the data subject's authorized representative may exercise the rights to which the data subject is entitled under the terms set out above, provided that the aforementioned communication is accompanied by the document accrediting such representation.

7. Data security

CANARYFLY has implemented a wide range of administrative, physical, and online security measures to ensure a high standard of security for the personal data it processes at its own digital and physical facilities, as well as at those of third parties from which it receives services.

The measures implemented are designed to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services, and to restore the availability of and access to personal data promptly in the event of a physical or technical incident. And, above all, in any case, to guarantee the right to the protection of personal data of the data subjects, and all their associated rights and freedoms.

8. Modification and updating of the policy

This content may be modified at any time either to update it in relation to new processing purposes, or due to changes in legislation, guidelines or case law (JURISPRUENCIA) of the EU Data Protection Authorities, or for reasons of improving transparency and quality of service.