Privacy Policy

1. Overview

Wingit (“we,” “us,” or “our”) operates the website at wingitdeals.com and the Wingit mobile applications on iOS and Android (collectively, the “Service”). This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your information.

Wingit is a Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) of India. Processing of personal data is based on your consent under Section 6 of the DPDP Act. We also comply with the Information Technology Act, 2000 and applicable rules thereunder, as well as the General Data Protection Regulation (“GDPR”) for users in the European Economic Area (“EEA”).

By using the Service, you agree to the collection and use of information in accordance with this policy. Please also read our Terms & Conditions before using the Service.

2. Information We Collect

a. Information you provide to us

• Email address — collected when you sign up or subscribe.
• Phone number (WhatsApp / SMS) — collected only if you opt in to WhatsApp or SMS alerts. We record the timestamp and source of your consent. This number is used exclusively for sending deal notifications.
• Travel preferences — your home departure airports, preferred destinations, and travel months, collected during onboarding or account settings to personalise your alerts.
• Payment information — we do not store your card or bank details. Payments are processed by our payment providers; we receive only confirmation of successful transactions.

b. Information collected automatically

• Device and usage data — device type, operating system version, app version, pages or screens viewed, and interactions with the Service (e.g., deals tapped).
• Push notification token — a unique token generated by your device used to deliver push notifications. No personal identity is embedded in this token.
• IP address and approximate location — your IP address and the broad geographic region derived from it, used for fraud prevention and service analytics.
• Cookies and similar technologies — see Section 9 for details.

3. How We Use Your Information

We use the information we collect to:

• Deliver flight deal alerts to you via email, push notification, WhatsApp, and/or SMS based on your preferences.
• Create and maintain your account and manage your subscription.
• Process payments and manage billing through our payment processors.
• Personalise your experience by matching deals to your home airports and preferred destinations.
• Send transactional and service messages (e.g., subscription receipts, account notifications).
• Improve the Service by analysing usage patterns and diagnosing technical issues.
• Prevent fraud, abuse, and violations of our Terms & Conditions.
• Comply with applicable legal obligations.

We will not use your email or phone number for marketing from third parties. We do not sell your contact details to advertisers.

Legal basis for processing (GDPR — EEA users): We process your personal data on the following bases under Article 6 GDPR: consent (marketing communications, WhatsApp and SMS alerts); contract performance (delivering subscription features you have purchased); and legitimate interests (fraud prevention, service analytics, and security monitoring). You may withdraw consent at any time — this does not affect the lawfulness of processing before withdrawal.

4. Third-Party Service Providers

To operate the Service, we engage trusted third-party processors. Each processor receives only the data needed for its specific function and is contractually bound to handle that data in accordance with applicable privacy laws and our instructions.

The categories of processors we use are:

• Cloud infrastructure and database hosting — to store account data and serve the application.
• Payment processing — to charge subscription fees. For web payments, we use Razorpay; for iOS and Android, payments are processed by Apple and Google respectively. We never receive or store your full card or bank details.
• Transactional email delivery — to send account, billing, and deal notification emails.
• Push notification delivery — to send mobile push alerts.
• Messaging delivery (WhatsApp / SMS) — to send deal alerts to users who have opted in.
• Flight price data sources — to retrieve fare information. Only anonymous query parameters (origin, destination, dates) are sent; no personal data about you is shared with these sources.
• Application monitoring and error tracking — to maintain service reliability. Personally identifiable information is excluded from these logs wherever possible.

International data transfers. Some of our processors operate servers outside India, including in the United States and the European Union. Where data is transferred internationally, we rely on appropriate safeguards as required by applicable law, including Standard Contractual Clauses where relevant.

A current list of the specific sub-processors we engage is available to verified account holders, regulators, and enterprise customers on written request to support@wingitdeals.com.

5. Data Sharing

We do not sell, rent, or trade your personal information. We share your data only:

• With service providers described in Section 4 — solely to the extent necessary to operate the Service on our behalf.
• To comply with law — if required by a court order, government request, or other legal obligation, or to protect the rights, property, or safety of Wingit, our users, or the public.
• In a business transfer — if Wingit is involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Data Retention & Account Deletion

We retain your personal information for as long as your account is active or as needed to provide the Service. If you request account deletion:

• Your account data (email, phone, preferences) is deleted within 30 days of your confirmed request.
• Aggregated or anonymised usage statistics that cannot identify you may be retained indefinitely.
• We may retain data for a longer period where required by applicable law (e.g., financial records for tax compliance).

How to delete your account:

• iOS / Android app — go to Settings → Delete Account inside the Wingit app and confirm. Your account is deleted immediately.
• Web — visit wingitdeals.com/delete-account, enter your email address, and click the confirmation link we send you.

7. Your Rights

As a Data Principal under the DPDP Act, 2023, and as a data subject under other applicable laws, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion (erasure) — request that we delete your personal data, subject to legal retention obligations. You may also delete your account directly — see Section 6.
• Grievance redressal — raise a complaint with our Grievance Officer (see Section 14). Under the DPDP Act we will acknowledge within 48 hours and resolve within 30 days.
• Withdrawal of consent — opt out of marketing communications at any time by using the unsubscribe link in any email or contacting us directly.
• Portability — request your data in a structured, commonly used format.
• Opt out of WhatsApp / SMS — reply STOP to any message or contact us at support@wingitdeals.com.

To exercise any of these rights, email us at support@wingitdeals.com. We will respond within 30 days. For users in the European Economic Area (EEA), you may also lodge a complaint with your local data protection authority (supervisory authority under GDPR Article 77).

8. Security

We take reasonable and appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These include:

• TLS/SSL encryption for all data in transit.
• Row-level security enforced at the database level, so each user can only access their own data.
• API keys and service credentials stored as environment variables, never in code.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

9. Cookies & Tracking

Website (wingitdeals.com): We use essential cookies necessary for authentication (managing your login session). We do not use advertising cookies or third-party tracking cookies (e.g., Facebook Pixel, Google Ads) at this time.

Mobile apps: The Wingit iOS and Android apps do not use browser cookies. We use a device-level push token for push notifications and an anonymous session identifier for authentication, both stored locally on your device.

If we introduce analytics tools or additional tracking in the future, we will update this policy and, where required, obtain your consent.

10. Children's Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal data from a person under 18 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected such data, please contact us at support@wingitdeals.com.

11. International Data Transfers

Wingit uses infrastructure hosted primarily in the United States and other jurisdictions (including Supabase, Vercel, Resend, and RevenueCat). By using the Service, you acknowledge that your personal data may be transferred to and processed in countries outside India or your country of residence, which may have different data protection standards.

For transfers of personal data from the EEA, we rely on appropriate safeguards under GDPR Article 46 (including Standard Contractual Clauses where applicable) to ensure your data receives adequate protection. For transfers from India, we comply with Section 16 of the DPDP Act, 2023, and any rules notified thereunder.

If you have questions about the specific safeguards in place for international transfers, contact us at support@wingitdeals.com.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights or freedoms, we will:

• Notify the Data Protection Board of India (or the relevant supervisory authority) within the timeframes required by applicable law.
• Notify affected users without undue delay when the breach is likely to result in high risk to their rights, providing details of the nature of the breach and steps they can take to protect themselves.

If you believe your account or data has been compromised, contact us immediately at support@wingitdeals.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will revise the “Last updated” date at the top of this page. If the changes materially affect how we handle your personal data, we will notify you by email before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

14. Contact & Grievance Officer

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. In accordance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the rules made thereunder, our designated Grievance Officer can be reached at: