Privacy Policy

What We Collect

When you create an account, we store:

  • Account info — display name, email address, timezone
  • Password — stored as a bcrypt hash (we never see or store your plaintext password)
  • Preferences — home airports, destination ratings, scoring weights, schedule settings
  • Cached flights — search results are cached locally so you don't re-spend API credits
  • Discord ID — only if you choose to link your Discord account for notifications

SerpApi Key Handling

If you provide a SerpApi key:

  • Your key is encrypted at rest using AES-128 symmetric encryption before being stored in the database
  • It is used only to query Google Flights data on your behalf when you run a search or when your weekly schedule triggers
  • Your key is never shared with other users or third parties
  • You can remove your key at any time from your Profile page

Data Retention

  • Cached flight data is retained based on your chosen retention period (30-365 days after departure date), configurable on the Profile page
  • A maximum of 180 date entries are stored per user regardless of retention setting
  • Expired cache entries are cleaned up automatically
  • You can export all cached data to CSV at any time from your Profile page

Cookies

We use a single session cookie to keep you logged in. It is:

  • HttpOnly (not accessible to JavaScript)
  • SameSite=Lax (prevents cross-site request forgery)
  • Expires after 30 days of inactivity

We do not use tracking cookies, analytics cookies, or third-party cookies.

Third-Party Services

  • SerpApi — flight data queries (using your API key). Subject to SerpApi's terms.
  • Resend — email delivery for verification and weekly digests (if email is enabled). Only your email address is shared.
  • Discord — notifications (if you link your account). Only your Discord ID is used.

No user data is sold, shared with advertisers, or used for any purpose beyond the Service's functionality.

Data Storage

All data is stored in a SQLite database on the server. The database is not shared with any external services. Backups are maintained for disaster recovery purposes only.

Your Rights

You can:

  • View and update your account information on the Profile page
  • Export all your cached flight data to CSV
  • Remove your SerpApi key at any time
  • Request account deletion by contacting the administrator

Changes to This Policy

This policy may be updated from time to time. Continued use of the Service after changes constitutes acceptance.

Last updated: March 2026

✈️ Donate
Terms | Privacy | Disclaimer | Community | Built by Samuel Vierling