Canaryfly

Legal Notice and Privacy Policy

Last modification: 15/12/2022

Entity: CANARYFLY, S.L.

Corporate Tax ID No. B76013481

Registered office: Aeropuerto de Gran Canaria, Hangar L

Apartado n84, 35230 Telde

Entry in the trade register:Volume:1912; Book:0; Sheet:76; Page:GC-41361

Purpose and acceptance

This section includes all the information on personal data processing carried out by Canary Fly S.L. (hereinafter, Canaryfly) during the process of providing its services, as well as during interactions with the users of its website and other contact channels.

To facilitate your right to information and comply with the principle of transparency required by data protection regulations, this content is divided into sections that provide the desired information in a clear, direct and concise manner. If you have any questions or if you would like additional information, please don't hesitate to contact us via email lopd@canaryfly.es

The main rules that have been taken into account in configuring this content are:

  • Organic Law 3/2018 on Personal Data Protection and the Digital Rights Guarantee. Hereinafter, PDPDRG.
  • General Data Protection Regulation, EU 2016/679. Hereinafter, GDPR.

1. Data Controller

The website https://www.canaryfly.es is owned by Canaryfly and its main activity is air transport ticket sales and bookings for passengers. Multiple complementary purposes or those necessary for the company's operation and continuity are associated with this purpose. Pursuant to article 13 of the GDPR, please be advised that for the aforementioned activities, the person responsible for processing the personal data collected is CANARY FLY S.L., with Tax ID No. B76013481 and address at C/ Aeropuerto de Gran Canaria, Hangar L. 35230, Las Palmas de Gran Canaria, Spain.

1.1. Services provided by third parties

The Canaryfly website, among its features, facilitates users' access to third-party websites that provide complementary services such as hotel bookings, holiday activities and car rental. In these cases, users will be redirected to third-party websites where they can purchase the desired service, for example, hotel bookings, car rental or booking holiday activities. In all cases, these third parties are responsible for processing the data they collect pursuant to their own conditions and privacy policies.

2. Personal data collection

Canaryfly collects data during the purchase process, in person or online, of its products or services, as well as during the provision of the service or subsequent support tasks. The data is mostly provided by customers and passengers, although others, such as website browsing data (collected through cookies or tags) are the product of Data Subjects' interaction with Canaryfly's channels and, in the case of those associated with flights and itineraries, the product of automated tasks or tasks resulting from the normal development of the company's aeronautical activity.

Some data is essential for the provision of services, which is why it appears as required on forms or during interactions with company personnel. Other data such as preferences, or the data needed for personalised advertising or flight preferences, is only collected if Data Subjects agree to it.

Any required data that is not completed, or is completed incompletely or falsely, could prevent the correct provision of the service and exempt Canaryfly from any liability.

2.1. Types of data processed

The types of data that can be processed during the provision of Canaryfly services are those that appear below, without prejudice to the variations that may be applied in specific cases. It is important to know that in each situation, only the data strictly necessary for the corresponding purpose is collected:

  • Identification data: full names, national identity document or other identification documents valid in Spain.
  • Contact data: telephone, email, postal address, etc.
  • Booking and flight data: itinerary, dates, passengers, connections with third parties, contracted services, special assistance requested, emergency contacts, etc.
  • Browsing data: Canaryfly platform usage data, preferences, technical configurations, forms, tools and access methods, usage statistics, etc. Goods and services selected by Data Subjects or for which they have expressed an interest.
  • Personal data: family data, date of birth, place of birth, age, nationality, etc.
  • Physical data: image, voice.
  • Social circumstances data: registration, certifications, permits or authorisations.
  • Economic data: subsidies and benefits, credit card or other payment methods.
  • Goods and services transaction data: goods and services received by the affected party, financial transactions, compensation, returns and indemnities; collection actions and administrative management.
  • Academic and professional data: academic training, certifications, professional experience and other information that may appear on the candidate's resumé.

3. Purposes for which Canaryfly processes personal data.

Personal data processing is essential for the correct provision of the services offered by Canaryfly. This section informs of the purposes for which Canaryfly could process your data, depending on the reason for your interaction with the company.

Pursuant to article 13 of the GDPR, this section also includes the legal bases (which enable Canaryfly to process your data lawfully), as well as the recipients of the data associated with each of them and in some cases the period during which the data will be retained.

The purposes for which the data is collected

  • Purpose: to manage air transport ticket bookings and sales.

    • Legal basis: formalising agreements or the application of pre-contractual measures.

    Description: the data provided during the booking management process and tasks associated with the sale of air transport tickets for passengers is used to manage the booking/purchase process and to carry out all the associated administrative tasks (seat allocation, sending automatic information, flight reminders, verifying the boarding process, itinerary management, communication with other operators, etc.), managing payment for and the administrative management of the services (payment, invoicing, identity verification of the holders of the payment methods, returns, compensation, among other related procedures); managing grants and other benefits; provision of the service and management of its quality; physical, online and telephone customer service (provide information, manage change requests, returns, complaints, claims, incidents, queries and various other actions).

    Data communications: communication of data to other airlines in the event of connections with flights managed by third parties other than Canaryfly.

    Communications to competent authorities pursuant to the airline's legal obligations (see next section).

    Ticket acquisition and purchase data may be communicated to third-party payment service provider companies (among others, banks, savings banks, rural banks, issuers or managers of cards or payment methods) so that these providers can verify the transactions carried out in the purchase of tickets.

    In cases of lost or delayed luggage incidents, flight delays or acceptance of flight change and other related actions, your identification and contact data may be communicated to entities such as courier companies, hotels and others that provide a compensatory or corrective service for the incident.

  • Purpose: compliance with the airline's legal obligations

    • Legal basis: Compliance with legal obligations.

    Description: Some personal data of passengers may be processed for the purpose of compliance with Canaryfly's legal obligations. These obligations include:

    1. Collaboration with State Security Forces and Bodies and with competent authorities when they request in a specific, motivated manner and pursuant to the regulations applicable to the passenger data processing or investigation of crimes, among others.
    2. The collection provided for pursuant to Organic Law 1/2020, in which in extraordinary cases and with prior approval of the Council of Ministers on domestic flights that do not make stopovers in any other State, your personal data included in the PNR (Passenger Name Record) will be transmitted to the Passenger Information Unit, which as Data Controller, from receipt, will process it for the purposes of prevention, detection, investigation and prosecution of terrorism crimes and other serious crimes specifically defined within the aforementioned regulations.
    3. Communication of data to the competent authority for managing residence subsidies, large families, among others.

    Data communications: In these cases, the data necessary to comply with the legal obligation, including managing the subsidy that the customer or passenger has enjoyed, are communicated to the public administration body or to the competent authority on the matter.

  • Purpose: medical case management

    • Legal basis: consent from Data Subjects or their legal representative. In the event of an emergency during the flight, the actions taken will be carried out in the name of the vital interest of Data Subjects or of third parties if they or their representative are not in a position to provide their consent.

    Description: Managing medical cases always requires the processing of health data of the affected passengers so that the medical staff who assist Canaryfly can assess the suitability of taking the journey, as well as the requirements and adaptations that must or can be made on the plane, as well as during the flight by the crew.

    Emergency situations during the flight will be managed by the crew unless there are medical personnel on board.

    Data communications: In medical emergency situations during the flight, the data of the case and of the patient and of the people who attend to the case, whether or not they are members of the crew, are communicated to the Canary Islands Health Service so that they can continue with patient care and managing the case.

  • Purpose: recording calls made to customer service

    • Legal basis: Canaryfly's legitimate interest to carry out service quality controls, as well as to maintain proof of the content of the call.

    Description: It is informed that calls received to customer service will be recorded for the purpose of service quality and verification of the services provided.

    Data communications: Data communications are not foreseen, although they may be provided to competent authorities that request a copy of it in a specific, weighted and limited way pursuant to the applicable legislation.

  • Purpose: user account creation and management.

    • Legal basis: Consent from Data Subjects.

    Description: Data is collected that Data Subjects provide during the process of creating their Canaryfly account, as well as those that they include at a later time or those that are created from their relationship with the company, as well as their interests and preferences. It includes the purchase history, the requested invoices, information on flights made, etc.

    Data communications: Data communications are not foreseen, although they may be provided to competent authorities that request a copy of it in a specific, weighted and limited way pursuant to the applicable legislation.

    Data deletion: if you request the deletion of the user account, this action does not imply total or partial deletion of the data. The data will continue to be retained in the Canaryfly database pursuant to the data retention criteria in section IV.

  • Recovery of shopping carts and associated advertising

    • Legal basis: Consent from Data Subjects.

    Description: Through the use of tags, the data provided by Data Subjects during the unfinished purchase processes will be collected in order to send reminders and offers to complete the purchase started.

    Data communications: Data communication to third parties is not foreseen.

    Data retention: the data will be deleted after six months.

  • Purpose: sending information and advertising, carrying out interest surveys and other actions aimed at Canaryfly customers.

    • Legal basis: legitimate corporate interest.

    Description: Some Canaryfly customer data may be used to find out their interests and preferences to send them commercial information, offers and promotions, invitations to events and activities based on their purchases of products or services, as well as to carry out surveys related to interest, improvement and sales prospecting. Communications will be made by the usual channels at all times, email or post, telephone call, SMS or through instant messaging applications and even through the Canaryfly App.

    Data communications: data communications to third parties are not foreseen.

  • Purpose: sending newsletters, advertising, various surveys and other direct marketing actions by Canaryfly and by third parties.

    • Legal basis: Consent from Data Subjects.

    Description: Data Subjects may provide their identification, contact and other data in order to receive direct advertising from Canaryfly or third parties.

    Data Subjects may also consent to personalisation of the offers that they will receive. In this case, browsing data will be used to personalise the advertising shown on the website, as well as to configure personalised direct marketing actions.

    Communications will be made by the usual channels at all times, email or post, telephone call, SMS or through instant messaging applications and even through the Canaryfly App.

    Data communications: data communications to third parties are not foreseen. Any advertising actions that involve information from third parties do not entail the communication of personal data to them.

  • Purpose: to manage participation in events, activities and other activities organised by Canaryfly

    • Legal basis: Consent from Data Subjects.

    Description: The data collected during the process of registration, participation and development of events, activities and other participatory actions organised by Canaryfly will be governed by the bases of each of them.

    Data communications: he data of raffle and contest winners, as well as of participants, could be published on social networks and on the Canaryfly website. If the event has a co-organiser or the prize is associated with a third party, the co-organiser or the third party will receive the data. Extended information will be provided in each activity, go to its publication.

  • Purpose: browsing data management, use of cookies and other similar technologies.

    • Legal basis: Consent from Data Subjects.

    Description: while browsing the website, Data Subjects may or may not consent to the installation of different types of cookies or tags. The purpose of data processing in most cases is embedded in the purposes listed above: personalisation of the website, customer service, personalisation of service offerings, recovery of shopping carts, sending direct advertising.

    Data communications: The data collected by cookies, tags and other technologies managed directly by Canaryfly or its service providers is not communicated to third parties. However, if the installation of third-party cookies is accepted, Data Subjects will be allowing them to access their data directly and therefore in these cases are invited to visit their privacy policies before accepting them.

  • Purpose: customer service regarding complaints, claims, reports and other forms of exercising consumer and users' rights.

    • Legal basis: legitimate interest and compliance with legal obligations.

    Description: The data associated with the situations of this purpose will be retained for as long as the processes opened by the Data Subjects persist.

    Data communications: communication to the competent authorities on the matter of the claim, complaint or denouncement, as well as solicitors, prosecutors and other members of the judiciary that are related to the case.

  • Purpose: receipt of resumé and participation in personnel selection processes

    • Legal basis: Consent from Data Subjects.

    Description: The personal data associated with this purpose is used to assess the information included in Data Subjects' CVs and to take them into account in personnel selection processes.

    Data communications: data communications to third parties are not foreseen.

4. Contact information

The data collected by Canaryfly is retained associated with the purposes for which it is collected. A customer can provide data used for several purposes. Therefore, it will not be deleted until the need or obligation, linked to all of them, ends.

Provided that the legislation changes continuously and the obligations imposed on companies vary equally, it is not possible to provide a fixed table of data retention periods. However, pursuant to the GDPR, these are the data retention criteria applied by Canaryfly:

The data will be retained:

  • As long as necessary to achieve the purpose of the processing;
  • During the time that the contractual relationship is maintained;
  • Whenever there is a legal retention obligation;
  • As long as the responsibilities derived from the contractual relationship or the processing have not expired;
  • When there is no request for deletion by Data Subjects, if applicable.

If you would like further information on this point or if you would like to specify a specific term related to specific processing and a specific owner, please don't hesitate to contact us via email

5. Third party data processing

If you provide data from third parties during your communications with CANARYFLY, please be advised that:

  • You may only provide third-party data if you have their express consent. Therefore, by sending data from third parties, you state that you have the aforementioned consent or that you have their legal representation.
  • All the people for whom you send data must know the content of this section. You declare that you have informed them and disclosed its content.

    • CANARYFLY is not responsible if the user who completes the forms or requests does not comply with the above points.

    6. Provision of services for data processing

    Like most companies, Canaryfly subcontracts services to third parties that allow the development of the company's daily activity. Among others and by way of example, financial and accounting advice and management, insurance and reinsurance, call centres and customer service, physical security and video surveillance, logistics, ground handling for passengers, cleaning, IT services, marketing, among others, can be subcontracted.

    In all cases in which personal data is processed on behalf of Canaryfly, the principles of privacy by design and default are applied, choosing only providers that guarantee a level of compliance with data protection regulations and formalising the corresponding personal data processing agreements. Additionally, clear instructions are provided on the obligations and limitations of their service providers. The security and confidentiality requirements that must be established and for which the application is audited and controlled are also established.

    6.1. International data transfers

    The aeronautical sector requires very special service providers and technologies that in many cases have a presence outside of the EEA and therefore their use represents an international data transfer. Among them, Canaryfly performs the following:

    • Google: Transfer formalised through the formalisation of standard contractual conditions pursuant to the latest forms provided by the EC.
    • SaleCycle: Transfer under adequacy level agreement to the UK by the European Commission.

    There may be other transfers. If you wish to know about them, please request additional information by writing to lopd@canaryfly.es

    7. Customer, passenger and users' rights.

    Canaryfly is highly committed to the rights and freedoms of the Data Subjects whose data it processes. It therefore informs you that, at all times and as applicable to each specific case, you have the right to exercise your:

    1. Right to access your personal data. Know what information is about your person, what data, how, when, where, for what purpose, etc. it was collected and to whom, for what purpose and how it has been provided; for how long it is expected to be retained and any other related data that you request to know about and that is applicable.
    2. Right to change your personal data. If there is an update or an error or any situation that you consider requires a formal modification, you can request it through this channel.
    3. The right to delete your personal data. If there is no legal obligation to do so, the data is not necessary for the provision of a service, the fulfilment of the public interest or of a third party, you can request that it is deleted.
    4. The right to oppose the processing of your personal data. You can oppose the processing of your personal data. In particular, in cases in which the processing is based on the legitimate interest of the company or a third party. For example, you can object to the processing of your data for direct marketing purposes based on Canaryfly's legitimate interest or to the automated processing of your personal data. The opposition may be made at any time throughout the processing, without prejudice to the legality of the processing carried out while you did not object.
    5. The right to request limitation on the processing of your personal data when the applicable requirements are met and for the purposes that you consider appropriate according to law.
    6. The right to portability of your personal data. You may request that Canaryfly provide a third party with the information that you have provided or that has been inferred or collected digitally.
    7. The right to withdraw any consent granted without affecting the legality of the processing carried out to date. In this case, you can unsubscribe from this purpose via the links at the bottom of the advertising emails, in "unsubscribe" or by sending an email to lopd@canaryfly.es
    8. Finally, please be advised that any Data Subject may lodge a claim with the Spanish Data Protection Agency (www.aepd.es), especially when satisfaction in the exercise of their rights has not been obtained.

    7.1. Contact information

    To exercise your data protection rights, please contact Canaryfly via email lopd@canaryfly.es or by letter to C/ Aeropuerto de Gran Canaria, Hangar L. 35230, Las Palmas de Gran Canaria, Spain.

    These rights can be exercised by means of written communication, attaching a copy of your national identity document, passport or other legally valid document that proves the identity of the Data Subject, addressed to lopd@canaryfly.es or by post to C/ Aeropuerto de Gran Canaria, Hangar L. 35230, Las Palmas de Gran Canaria, Spain. To ensure that your request can be processed correctly, please provide the following information:

    • Full name
    • Identity document (National ID No. or passport).
    • At least one contact method (email, telephone, postal address).
    • Purpose of the request.
    • Copy of an identity document or passport to verify your identity.

      • The exercise of these rights is very personal, so only Data Subjects can exercise them with respect to the personal data for which they are the legitimate owner. However, in the cases in which it is admitted to do so, Data Subjects' authorised representatives may exercise the rights that apply to them in the terms set forth, provided that the aforementioned communication is accompanied by the document accrediting such representation.

      8. Data security

      CANARYFLY has adopted multiple administrative and security measures, both physical and online, that guarantee a high standard of security for the personal data that it processes in its own logical and analogue facilities and those of third parties from which it receives services.

      The measures applied are aimed at guaranteeing the permanent confidentiality, integrity, availability and resilience of the processing systems and services and quickly restoring the availability and access to personal data in the event of a physical or technical incident. And, above all, in any case, guarantee the right to protection of the Data Subjects' personal data and all their associated rights and freedoms.

      9. Policy modification and update

      This content may be modified at any time either to update it in relation to new processing purposes, as well as legislative changes, guidelines or jurisprudence of the EU Data Protection authorities or for reasons of improving transparency and quality of the service.